The importance of cybersecurity in your business

Cybercrime is expected to hit revenues of $10.5 trillion by 2025, making it the third largest economy in the world after the US and China. If you think taking serious steps towards a good cybersecurity posture is not required or can be left until later… think again.

Why does cybersecurity not get the attention it deserves in all organisations?

There’s a range of reasons: over-exposure and therefore a fatigue to the topic, a lack of budget, ‘it’ll never happen to us’ mentality, lack of sufficient knowledge and skills in-house and more. The common thread running through all of those topics is insufficient responsibility and accountability for cybersecurity at senior levels, combined with a lack of understanding and/or appreciation for the importance of good governance and control.

Cybersecurity roles and responsibilities

The organisations who proactively manage their cybersecurity risk, are those which have dedicated personnel to manage this day in and day out. Someone at the top to take accountability and drive a responsibility model across the organisation.

Dedicated roles and responsibilities for cybersecurity at senior levels encourages a secure ethos and culture in an organisation. The top-down approach is often overlooked and yet is a crucial cog in a never ending cycle of security. Why do I think that? Because cybersecurity is an organisational responsibility. It’s not ‘IT’s problem’, those days are a distant memory. Every individual has a role to play in maintaining the security of their organisation. If senior individuals set great examples (formal policies, procedures and leading by example), they can expect others to follow suit.

What does good governance and control look like and how does it start?

Cybersecurity can appear a daunting topic. It’s vast, covering things like disaster recovery planning, incident response management, secure configurations of apps, least privilege access administration, endpoint detection and response, vulnerability management, vendor due diligence… the list goes on. But, when you move past the scary topics of IT and the technical jargon, it soon becomes apparent that there are simpler first steps to be made.

Implementing policies, for example, help drive the culture of an organisation. It holds people to account. It’s important that policies should be seen less as a ‘stick’ and more as a ‘carrot’. There shouldn’t be immediate and extensive reprimand for owning up to a mistake when clicking on a potentially malicious link – that doesn’t foster a positive cybersecurity culture. You need to turn those situations into positive, teachable moments. A mistake flagged early could be the difference between your organisation continuing to function seamlessly, and being on its knees at the hands of a cyber criminal. This is where the top-down approach can really help. Fostering a nurturing environment to take ownership of mistakes and see them as learning opportunities is the best place to be for any organisation.

Policies on best practice and acceptable behaviours when using organisational assets and technology (commonly referred to as acceptable use policies) are a good start. Then expanding to policies like, passwords, backups and restores, change management, access administration, audit and event logging – soon a culture is forming for all to follow. You should definitely not stop there after taking those first steps; the journey has only just begin. There are lots of tools and guidance readily available. The NCSC is a fantastic resource. Sometimes the difficulty can be finding the time to read it and implement it all.

Robust cybersecurity processes and controls require input from no less than HR, Board, Finance, IT, Procurement, and probably more. This further supports the fact it’s an organisation’s responsibility to foster a positive cybersecurity culture. The most successful organisations in the world have fantastic leadership with a vision that everyone has bought into. Cybersecurity should be an umbrella, protecting that entire vision on a rainy future of cyber crime.

Knowing where to start

You don’t have to tackle cybersecurity as a behemoth task at once. Small steps will allow you to move in the right direction, improving your cybersecurity posture while breaking down the huge cyber-blocker into manageable chunks.

To tackle those small chunks, you need to set goals and objectives which are achievable over time. The below are my own personal and professional views. There will be many other steps in between at a more granular level but feels like a good summary:

1. Make someone both responsible and accountable for cybersecurity at senior management and board level and empower them
2. Identify and analyse the areas of the business which are most sensitive and most at risk
3. Assess possible solutions to address the risk exposure, taking into account costs, expertise required, timeframes etc
4. Continuously improve cybersecurity year-on-year by allocating a sufficient budget
5. Repeat steps two, three and four annually at a minimum and soon after any significant organisational changes.

If you’re unable to complete any or all of those steps in-house, please seek support. Our specialist cyber security team works with clients across the UK, identifying vulnerabilities, minimising risks, strengthening security and training staff. We tailor our approach to help you make better, more informed decisions across your digital and IT systems. To get in touch, please click here.