New Year, New You: that’s the common headline as we all make our way to work. Our New Year resolutions quickly fall by the wayside as we fall back into old habits and the familiar way of doing things. And the same is often true when it comes to reviewing and addressing working practices.
We are naturally resistant to change and may even circumvent new controls in our desire to stick with what we know. Yet that resistance can be dangerous. It introduces predictability that can see risk escalate and can stymie innovation. So what should we be doing to reinvigorate our approach to information security? Here’s our Top Five New Year Resolutions for cyber security.
No.5: Go beyond compliance – compliance regulations such as ISO 27001 are necessary and can be an invaluable benchmark. But for those organisations faced with conforming to multiple compliance requirements there is the danger of duplicated effort and adherence to rigid frameworks that don’t take into account the nuances of the organisation, its systems and processes. An integrated formal management system can provide an overarching management function which maps any overlaps, adapts and adds to the requirements, and effectively creates a single bespoke security solution. Being compliant and being secure are not one and the same but understanding and managing compliance is a good first step.
No.4: Understand your data – data is often the most critical business asset but it’s not a static commodity. Data changes in state all the time, depending on its use, combination with other data sets, value over time, and even changing external factors. Consequently, non-sensitive data can become sensitive and vice versa. This means it is vital that the organisation maps the information estate in order to be able to ‘landscape’ or partition data and award it the right level of protection. But its not only data access that is the issue here; there’s also the way data is handled. Look at the data ‘lifecycle’ or how data is documented from the cradle to the grave to ensure it is created and disposed of appropriately. Once you know the data, it should be that much easier to adjust processes to accommodate new regulations, such as the imminent EU General Data Protection Regulation (EU GDPR).
No.3: Test the technology – like any routine process, security testing can be relegated to be being little more than a tick box exercise yet it has the potential to be so much more. By devising a playbook of possible attacks the organisation can test security mechanisms and the ability of the organisation to react and respond to mitigate those attack scenarios. How effectively is sensitive data protected from an attack? How quickly can the organisation lock down systems? What processes need to kick in to maintain critical business functions? Cyber attack scenarios aren’t just for big league players but can be a useful testing ground for the regular enterprise. There should also be provision for external security testing, with regular penetration testing to rigorously test the resilience of the organisation.
No. 2: Embrace risk – risk is not just an abstract that needs to be assessed and controlled. It can and should be used to identify and exploit opportunities in the market. There will be acceptable just as there are non-acceptable risks. Effective cyber risk management will see these risks monitored, recorded in a risk register, and regularly reported to senior management to create actionable intelligence. Done efficiently, risk reporting can empower CXOs to make the right decisions and can enable them to respond in an informed manner if the organisation does come under attack.
No. 1: Put people first – monitoring multiple attack vectors can seem like an impossible task but all too often the weak link is the user. Poor security practices can markedly increase the likelihood of a successful attack so seek to educate staff but also look at how you foster a culture of cyber awareness. Seek to develop your own programme that deals with the issues pertinent to your organisation and its structure. And encourage disclosure through an open disclosure policy that rewards staff for bringing issues to your attention.
The past two years have seen cyber attacks continue to rise in a cumulative fashion. Organisations have continuously failed to grasp the potential danger of the cyber threat to the data they hold, and have underestimated the role security has to play, with many C-level execs being criticised for tardiness. But 2016 is the year of the Red Fire Monkey in the Chinese calendar, making it a year for the cheeky and the curious. So perhaps its time to listen to the mavericks, be nimble and sure-footed, and make some changes, such as by making security a priority in the year ahead.