Combatting cyber risk is crucial in any business. According to the recent Horizon Scan report by the Business Continuity Institute (BCI) (in association with BSI), cyber-attack remains the top threat perceived by businesses. Many companies continue to trail behind on information security, however following the recent introduction of the European General Data Protection Regulation (GDPR), UK companies will be obliged to protect the personal data they hold on customers, employees, prospects and others – with the risk of penalties for any failure to do so.
So what steps can be taken to prepare for such attacks and incidents?
1. Be aware
The first step starts with awareness and not being complacent to the problem. Don't think size or industry can exempt you from a breach, since targeting smaller businesses allows hackers to gain access to larger companies.
2. Know your enemy
Security threats come from a wide range of sources with most data breaches being caused by bad business practices. Poor physical security, lost memory sticks, non-password protected devices, unencrypted laptops, and loose talk can contribute to breaches.
3. Look inwards
All businesses regardless of size must consider the risks to information and understand what they are trying to protect. So, are existing security measures effective? Have controls to mitigate identified risks been determined? Consider penetration testing to ensure your security.
4. Get an Information Security Management System
After identifying information security risks, the next step is knowing what to do and how to do it. This is where an ISMS or Information Security Management System such as ISO 27001 can help. It provides a framework to help identify and manage information security risks in a cost effective way, putting appropriate controls in place to help reduce the risk of security threats, and help prevent weaknesses in systems from being exploited. In addition, organizations might consider the government-backed Cyber Essentials scheme, and CSA STAR Certification or ISO/IEC 27018 which addresses specific cloud security concerns. The BSI Kitemark™ for Secure Digital Transactions may be suitable for organizations that wish to demonstrate they go above and beyond these standards.
5. Get personal
Encouraging staff to make their personal information security a natural part of their routines, can help businesses to secure corporate information too. Training and awareness activities alert staff of the importance of taking as much care with business information as they would their own personal information. Being vigilant when using devices or carrying paperwork on public transport and avoiding having confidential conversations in public are a couple of ways to protect data.
6. Look outwards
Many businesses share sensitive information across and between organizations. If information is shared with a supplier, then the company would be failing in its duty of care if the supplier's handling of that information was insecure. What information needs to be shared? What safeguards do they have in place to protect confidential data?
Organizations must be trusted to safeguard sensitive information. In order to be resilient, businesses must manage information – physical, digital and intellectual property – throughout their lifecycle, from source to destruction. This requires the adoption of information security-minded practices that allow stakeholders to gather, store, access and use information securely and effectively.