In-depth

How to build a comprehensive cyber security strategy

Thanks to digital transformation, securing data across the business is more challenging than ever

Most, if not all businesses know the importance of protecting themselves against cyber threats. If your organisation is breached the consequences can be serious, both reputationally and thanks to GDPR  financially.

Therefore, it's important to have an effective cyber strategy, but it's not always easy to put something in place that provides comprehensive coverage. The work doesn't stop at implementation, either the strategy needs to be regularly reviewed to ensure continued compliance with legislative and regulatory requirements, as well as adhering to internal rules.

Ownership, mandate and scope

In order to build a functional and comprehensive cyber security strategy, you need to have a mandate at the most senior level of the organisation. This means the Chief Security Officer (CSO), Chief Technology Officer (CTO) or someone in a similar role should have responsibility. The implications of GDPR on data security need to be understood and built into the plan and the senior officers must ensure both they and senior managers are aware of their responsibilities.

Advertisement - Article continues below

Outsourcing some or all of the actual work will be attractive to many organisations. Advantages to this approach include a fresh perspective, access to skills that might not be available in-house, and the ability to work faster than if internal staff, with their ongoing role responsibilities, take the work on. But external support needs to be very well directed and managed, to ensure the right outcomes are achieved. Collaboration with an external organisation, rather than total outsourcing, may be a better way forward.

Advertisement
Advertisement - Article continues below

It's also vital that a cyber security strategy is scoped as a business enabler, not something that will get in the way of people trying to do their jobs. Adam Toulson, managing director at Accenture Security, tells IT Pro: "Success requires more than just threat detection and compliance. A good security strategy should always complement the business strategy rather than stifling it."

Organisations also need to bear in mind that a strategy must be both comprehensive and achievable. That's not necessarily an easy balance to achieve. Toulson advises: "Keeping it simple, with a maximum of five or six key objectives, will ensure that everyone is bought into the strategy and is working towards the same goal."

Don't leave anything to chance

If you sit down and make a list of everything that's got to be covered in a cyber security strategy, plenty of things will easily spring to mind. You'll likely focus right from the start on the obvious technology and on the data that it holds. Kevin Curran, professor of cyber security at Ulster University and a senior member of the IEEE offers a starter list: "All aspects relating to the protection of data need to be considered. This includes examining security of physical locations and employee access, data storage, data backups, network security, compliance and recovery procedures, and of course all IoT devices."

But there's a lot more to a comprehensive cyber security strategy than those more obvious areas. One area that's very easy to omit or only pay partial attention to is software. Before rolling out any strategy, you should do a full software audit of your organisation. As a minimum, you need to record all software in use, where it was sourced, what the contractual agreements are for payment, how frequently and through what mechanism it's updated (is this done in house and if so by whom, how often, where are the update logs kept), and who has ownership.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

This might be a bigger task than you think. Ownership might not be with the IT team  indeed, you may find software that's crept in completely under the radar. In all these scenarios, you need to establish whether or not the owner fully aware of their responsibilities and, if they're not, educate them or consider moving ownership over to the IT department.

What about people and partners?

A cyber security strategy needs to take account of the risk people can bring. As Curran says: "People are often the weakest link in security, therefore it is important to ensure all employees are well trained on aspects such as cyber security best practices like phishing and data sharing practices, keeping software updated, unique strong passwords, enabling two-factor authentication and so on."

Within enterprises, senior IT management will be most enthusiastic to introduce the security awareness component of a cyber security strategy, because they realise the risks that stem from uneducated employees. Simply, awareness reduces the number of threats they have to detect and remediate.

Advertisement - Article continues below

The same level of enthusiasm may be difficult to coax from fellow C-level employees, though. For senior business managers, security training may be viewed as an unwanted disruption to workflow, harming productivity. In response to such complaints, IT leaders must highlight that by eliminating security threats, users will be more productive in the long term: After all, security training is much less of a disruption to business than a malicious ransomware attack that infiltrates systems and brings all operations to a stand still.

Scaling down the ladder, general staff may not believe or understand the threat level, may not believe it will impact them directly, or else have unsubstantiated faith in their ability to counteract threats. In reality, hacking methods are constantly evolving. If employees' knowledge doesn't keep pace, a risk gap widens. To bring employees onboard with awareness training, engaging courses must be delivered that focus not only on the importance of vigilance, but rewarding personnel for enhancing their security behaviors.

Advertisement - Article continues below

Curran also points out that people often don't learn till they've been bitten. Some organisations are attempting to tackle this by sending out phishing emails containing fake malware to educate those who click, for example.

An ongoing process

If a comprehensive cyber security strategy is being set up for the first time, it will take a while. There might be some digging around, some forced changes to the ways in which some people work day to day and, depending on your strategy for controlling shadow IT, some disgruntled staff to deal with.

Once this is all done, maintaining the strategy should be an ongoing process, with frequent enough audits to ensure compliance and regular, ongoing messaging to help prevent infractions. As Curran puts it: "Organisations need to maintain their internal standards and conduct regular audits of all connected devices and security risks including physical. Without regular audits the process becomes toothless."

Featured Resources

Key considerations for implementing secure telework at scale

Identifying the security risks and advanced requirements of a remote workforce

Download now

The State of Salesforce 2020

Your guide to getting the most from Salesforce

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Rethink your cybersecurity strategy for the new world

5 steps to secure the enterprise and be fit for a flexible future

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
Police use of facial recognition ruled unlawful in the UK
privacy

Police use of facial recognition ruled unlawful in the UK

11 Aug 2020