After updating your password for what feels like the umpteenth time, have you ever just reused an old one? It’s easier to remember, after all - and a small detail, like changing your password, can feel like a futile gesture in this age of seemingly endless hacks.
You may be suffering from security fatigue. You’re certainly not alone. Half of the IT professionals surveyed in a 2016 study by the US National Institute of Standards and Technology (NIST) expressed “a sense of resignation, loss of control, fatalism, risk minimization, and decision avoidance” when it comes to cyber security. These feelings, NIST notes, are “all characteristics of security fatigue”.
But are security measures really meaningless in 2018? The answer is a decisive no. Don’t let the fatigue get you, there’s no reason to resign yourself to victimhood. A robust, well documented cyber-security strategy remains a powerful tool.
Why do you need a cyber security strategy?
Many organisations say they have a cyber security strategy, but often that’s bending the truth a little.
As the government’s Cyber Security Breaches Survey shows only around a third of firms have a formal policy on cyber security (33%) or have cyber security risks documented in business continuity plans, internal audits or risk registers (32%). It’s even lower for small businesses, where only 24% have a formal cybersecurity policy in place.
The stats paint the picture: if we’re talking about a coherent, robust and dependable strategy, most businesses are falling way short.
- You may like: The business leader's role in cybersecurity
Cyber security is more than just anti-virus software. It’s the sum of many parts, encompassing infrastructure, personnel, processes, communications, marketing, buying and selling of products.
A cyber security strategy is required for reputation’s sake, for moral peace of mind, and with the introduction of GDPR on the 25th of May 2018, as a matter of law. Business owners have to uphold certain obligations to minimise potential serious operational and financial risks for investors, staff, customers and other stakeholders .
Cyber security threats are one of the biggest risks modern businesses face. The scope of these threats is huge; from publication of sensitive internal information (such as pricing, customer data or new product designs) through to health and safety concerns around industrial control systems, not to mention possibly crippling day to day operations through denial of service attacks.
To put the above into context, IBM completes a global study every year in relation to the average cost of a data breach: in 2017, the global average cost was $3.6 million per breach.
While that figure is an average, it does not include the future costs of any fines under GDPR. Most small/medium sized businesses would find it difficult to recover from this level of loss, resulting in a devastating impact on the business, and the livelihoods of everyone involved in that business.
One final point: the vast majority of cyber-attacks are automated. Cyber criminals don’t care if you’re a bank, a large multinational, or a small company with 10 employees. At every point that you have a connection to the Internet, this connection is being probed by automated scanning systems for weaknesses. Accept that you will be breached, and that you will have to deal with the fallout at some point in the future, and you’ll be prepared for the worst when it comes.
What does a good cyber strategy look like?
No two businesses are alike. There is no one size fits all cyber security strategy - but there are good places to begin, categorised as follows:
- People: education for employees, including how to spot psychological manipulation by scammers (social engineering, as it’s also known)
- Processes: documentation and policies governing anything and everything from start to finish
- Technologies: firewalls, anti-malware and antivirus protection, etc.
- Facilities: physical security including types/ levels of access to employees and other building staff.
These are good places to start, but the ultimate aim is to create a cyber security profile unique to your business. The US National Institute of Standards and Technology’s (NIST) cybersecurity framework is one of the best frameworks available for creating your profile.
The NIST framework is exhaustive, but it allows you to easily identify what steps you must take. The framework’s core is split into five functions: identify, protect, detect, respond and recover.
These five functions are designed to cover all organisations, including large corporates and government bodies. Small businesses will have less advanced needs, but they’ll definitely need to include steps like:
- Find out who has or should have access to your business’s information and technology (Identify)
- Only allow employees to access the systems and the specific information that they need to do their jobs (Protect)
- Only install applications that you need to run your business and patch/update them regularly (Protect)
- Use reputable and approved anti-virus, anti-spyware, and other anti–malware programs on all computers and laptops (Detect)
- Identify the roles and responsibilities for when a security breach occurs, i.e. who makes the decision to initiate recovery procedures and who will be the contact with appropriate law enforcement personnel (Respond)
- Make regular, full backups of important business data/information (Recover)
The business leader’s role in developing a cybersecurity strategy
Leaders set the cultural tone in a business. Effective cyber security begins with leaders precisely communicating what changes are required and, more crucially, why these changes are important.
Business leaders must ensure that the tasks, activities, and governance are being properly enforced. There must be a board level sponsor who is responsible for delegating day-to-day cyber security projects and operations. Security should be reflected in all strategic planning.
The key is to make the challenge relatable at all levels, from the overarching business standpoint down through to departments and individuals. The risks must be communicated with conviction and meaning, accurately representing the significance of cyber security risks.
Authentic communication begins with your own watertight knowledge of the threat. If you don’t feel prepared to lead on cyber security, there are free governmental accreditations and strategies available like Cyber Essentials, Cyber Aware, and the NCSC's website on strategic planning. The NCSC also has numerous guides and walkthroughs specific to small businesses.
Get the message right
You take security seriously. You invest in physical security like locks and alarm systems, you have contingency plans in case of emergencies, you have insurance, you brief employees on health and safety.
Cyber security is the next step in that journey, and should be dealt with in the same manner as any other critical safety and security question in your business. Continuously update and review it, and make it part of the everyday.
Every employee should be aware and constantly reminded of the company’s cyber security strategy. Training should be supportive, engaging, and interactive. Employees should cosign policy documents, confirming that they understand they are responsible for adhering to and following strategy.