Businesses face a wide range of cyber threats. Whether in the form of attacks on their websites and servers, or inadvertent leakage of share sensitive data, cyber threats can cause huge harm. In fact, cyber attacks on the financial services and oil and gas sectors are currently at an all-time high and this has potentially serious implications for the global economy.
Here is a short list of the main steps a business can take to protect its staff, computing assets and sensitive data:
1. Budget for Cyber Security Measures – Chase (a division of JP Morgan Chase) state that “A prudent first step would be to ensure your senior management is educated on the importance of cyber security budgeting so they can advocate security as a business imperative and activity support those initiatives”.
2. Raise awareness by training all staff on cyber security fundamentals – everyone has a part to play in protecting the organisation from cyber based threats. The more your staff know and understand, the greater your protection. It is important to tailor the training to the role the member of staff fulfils but the key point is not to do everything in ‘silos’. Cyber risk management is not only within the purview of IT specialists. It has an impact on everyone. Training should be relevant, connected, engaging, timely and repeated. Often!
3. Ensure that both existing and new cyber technologies are adequately addressed in policies and procedures – and once this has been completed, conduct regular reviews, audits and tests. Putting in place a structure that ensures the latest developments are captured, understood, evaluated as threats to the business, documented and distributed will help ensure a robust response. Keep security for end users simplified. The more complex it is, the less inclined users will be to use it.
4. Classify the data held by the business so that the most sensitive data is given the highest level of protection – data does change in priority so the importance of on-going monitoring cannot be underestimated. Set security levels that are appropriate to the data retained and regularly review who has access and their levels of access, to ensure that these are appropriate.
5. Develop Incident Response Plans for all foreseeable cyber security eventualities. An example of a typical Incident Response Plan can be downloaded from the site.
6. Protect networks and devices by deploying cost-effective technical solutions. This might include employing defence-in-depth strategies that emphasise multiple, overlapping and mutually supportive systems that guard against single point failures in any specific technology. It will also involve keeping software patches up to date especially on the systems that host public services.
7. Review sign-on methodologies and determine whether more advanced methods of authentication are needed.
8. Consider the need for data encryption of both databases and devices.
9. Review wireless network security to determine whether it can be easily hacked or socially engineered by outsiders.
10. Report Cyber Incidents. As Chase point out in their Best Practice Guidelines, “Cyber incidents are not without financial consequences. The ability to assess and prevent damages and develop the appropriate countermeasures is predicated on more organizations stepping forward and reporting information on incidents – including financial loss data – to law enforcement. Assessing the damage and quantifying the cost impact of cyber incidents is difficult since there is a limited amount of standard methodologies and metrics available for compilation. The lack of data, including frequency of incidents, can be attributed in part to the reluctance of victimized companies to go public. Plus, many cyber incidents go undetected, adding to the paucity of available information.
11. Partner with the government and academia. Ultimately, expeditious information sharing is vital for private sector companies to improve cyber security.
Learn more about anti money laundering, compliance and financial crime prevention with ICA qualifications.