An organisation's confidential information and the personal data of their customer base is a valuable commodity. Combine this with an increased reliance on doing business in a digital world and the regulatory scrutiny surrounding cyber breaches, organisations big and small need to tackle the cyber risk proactively within a broader context of crisis prevention and management.
Once the domain of adolescent hackers in their bedroom, cyber attacks are now the product of a diverse range of perpetrators ranging from organised criminals, governments, terrorists and activists, to employees and competitors. These cyber attackers use a variety of increasingly sophisticated methods, such as malicious code (e.g. viruses and the like), network based intrusions (e.g. botnets, denial of service) and behavioural exploitation (so-called social engineering).
So what can you do to join the race against cyber crime?
Information Risk Management Regime – First of all, organisations should carry out a comprehensive assessment of their existing processes and procedures to identify what valuable assets need to be protected, alongside the specific risks and potential impacts on the business if such assets were compromised. It is not possible to eliminate all risks, so it is a question of balancing them with risk appetite to ensure the business can operate effectively.
Incident Management – Organisations should establish an incident response and disaster recovery capability: produce and test incident management plans, and define roles and responsibilities of an incident response team. This team should include representatives from all relevant internal (and external) stakeholder groups, including a technical team to investigate the breach, HR and employee representatives, the data protection officer, public relations and legal representatives, and the board. Input from external advisers may be valuable in providing a different perspective (particularly if a breach is suspected to be an inside job) and supplementing internal skill sets.
Regulatory and Compliance Governance – Cyber security is the focus of increased regulatory attention across the world. However a lack of harmonisation of cyber security-related legislation makes it difficult to investigate and prosecute offenders if the categorisation of cybercrimes and other misuse of cyberspace differ from country to country. Therefore it is of vital importance to the organisation to seek legal advice as soon as possible to ensure regulatory, reporting and compliance obligations are understood and that, in the event of a cyber attack, the investigations surrounding it can maintain appropriate legal privilege.
User Education and Awareness – Given that many data security breaches happen as a result of employee action or inaction, user education and awareness is crucial. An organisation can have in place the most comprehensive policies and procedures but if its employees are not educated on them, they will not be effective as a risk mitigation tool. Organisations should therefore produce user security policies covering acceptable and secure use of the organisation’s systems, establish a staff training programme, and maintain user awareness of the evolving cyber risks.
Network and IT Security – The steps described above are in addition to the usual network and IT security measures undertaken by many organisations. Steps should be taken to ensure that networks are protected against external and internal attacks, including establishing anti-malware and firewall defences, intrusion prevention and detection systems, filtering out malicious content, monitoring and testing security controls (e.g. through penetration testing), and applying security patches.