As I move around talking to business leaders of all sizes of company, one thing stands out.  And that’s that there are many different views as to how involved management needs to be in cyber defence, and some of these views are markedly different.  They range from a very hands off approach, happily leaving it to their IT support, to, and it has to be said, a minority, who see it as their responsibility.

Arguably one of the most, if not the most, important roles any CEO/MD/Chairman (call him or her whatever you like and for the purposes of this article I’ll stick with CEO) is to set the importance of cyber defence in everyones mind.  The tone has to come from the top to be accepted and effective.  When cyber defence is clearly prioritised by the CEO and the Board, it assumes an importance in the mind of the employees.  It is crucial that everyone from the CEO down understands the impact that a cyber breach, or a scam, or a cyber based fraud, can have on the bottom line.

This also aligns cyber defence and data protection with the business goals.  Cyber defence is a business issue, not an IT issue.  It’s crucial that all clearly understand this and how it should be woven into the very fabric of the business.  The CEO and the board have a clear perspective on the company’s strategic goals and direction.  By their involvement with cyber defence, they can ensure that it is aligned with the broader business strategy to fully protect the businesses data and systems.  It aids with budgets for cyber security tools, training and personnel, addressing the threats to the business.

CEOS might need advice and guidance but their involvement is essential and will help to identify some issues which may not be clear to employees, especially technical employees.  One such is reputational damage.  The damage to a company from a data breach may not be immediately clear.  But once it hits the press, or once the company becomes subject to a fine from a regulatory body such as the Information Commissioner, the word tends to spread.  If you can’t be trusted to maintain a level of confidentiality, can you be trusted with other things?  Doubt spreads and can destroy vendor, customer and partner relationships.

Cyber defence begins with risk management.  Managing cyber risks is no different to managing any other business risk.  There is no business without risk, the trick is to manage your risks down to a level that you are prepared to accept, known as the risk appetite.  This must involve the CEO and directors and business managers.  Each knows what could damage, perhaps catastrophically damage, their part of the business.  IT staff don’t have this knowledge, their focus is often on the technical risks, not the business risks.

Risk management itself begins with a clear cyber defence and data protection strategy.  Depending upon the size of your business, some elements of the suggested strategy below, may not be relevant to you.  This is offered as a guide, not an absolute.

Figure 1- Suggested Cyber Strategy Framework

To help in defining your strategy, you need to undertake a risk analysis which will inform the selection, deployment and management of Appropriate, Affordable and Accreditable (if required) controls.

Appropriate in the sense that controls need to support rather than hinder business process as well as being capable of achieving their goals.  Your controls also need to be appropriate to your business.  Affordable may seem self-explanatory, however in the context of cyber security controls and overall budgetary constraints, return on investment is as important as cost effectiveness.  Accreditation to agreed cyber security standards – of which there are many, is crucial for all organisations.  Being able to provide a trail of evidence which demonstrates on going compliance to selected standards is essential in times of crisis.

Having got this far, we need a risk treatment plan to match the identified risks.  What you’re trying to achieve here is to manage the risk down to an acceptable level.  Don’t get bogged down in trying to eliminate risk, you won’t succeed, but rather get the risk down as low as you can.  Don’t make it too complicated, identify your risks as High, Medium and Low.  Then manage the high risks down to Low, followed by the medium risks.  You do this by applying controls, be they procedural or technical, to the risk and measuring the outcome.

It sounds complicated and you may need guidance, but once done and adhered to, it provides peace of mind to you, that you have done what you need to do to get your Cyber Defence in place.

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Please feel free to give us a call or email.

Alternatively book a demo on our Calendly link https://bit.ly/3yoT0qi

T: 0845 5443742

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure