Regardless of whether you’re new to business or leadership, or you have been in business for a while, when you first start to take your cyber security approach seriously, you may well discover that your first challenge is where to start.
There are many different elements to cyber security, and lots of different ways to approach it once you start looking at the detail of all of the things you need to do, but in terms of your starting point there are really two fundamental approaches that you can choose to take.
The first approach is to pick a framework or a set of standards and work towards that.
A bit of research will show you that there are a number of frameworks that you could pick from. Standards like Cyber Essentials, CIS controls, or ISO standards (27001 for example). All vary somewhat, and have a slightly different focus, but there are certainly some common themes running through most of these standards or frameworks.
The nature of frameworks however is that they are trying to be all things to all people; it is extremely difficult to create a framework which is equally applicable to all types of businesses or organisation. So how do you know which one is most applicable to you, and which one to pick if that’s the cyber security approach you are going to take? That’s not an easy question to answer.
Following a framework is one valid approach to cyber security. It gives you something to work towards. But how applicable is it to your organisation? Answering this question is not something that you need to be considering alone and from within the walls of your organisation.
Not only can we support you in gaining ISO 27001 accreditation or Cyber Essentials Certification, training and awareness are something we strongly believe in and to this end we have built a number of training courses and workshops. These will not only inform and educate but will also empower the right people in the right roles to be able to ask and answer the most relevant questions for your business.
Rather than focusing on frameworks, you may decide to instead take a risk-based cyber security approach. This is an approach that is more tailored towards your specific business or organisation. It considers the specific data that you have, the systems you use, the people you have in your organisation and their level of understanding of all things security, the processes that you have in place, and how all of these combine to create risk specific to you.
How this happens depends on who you partner with. Our approach is to come in to your business and run discovery workshops on site with your teams. This enables a depth of understanding which allows for the development of the most relevant and workable cyber security roadmap to you – a roadmap that will get you to a position where your risks are being proactively managed.
Different organisations, different security requirements – What sort of differences are we talking about though? Let’s look at three key differences.
Firstly there is data. Some organisations are heavily reliant on data, some not so much. Some organisations collect and process particularly confidential or sensitive data, such as health data for instance. Whatever data or sensitive information your business handles, it is of paramount importance to ensure you fully understand the implications of a data breach for you, your customers and those whose data you hold.
Some organisations have only employed staff, where elements of security policy can be made part of their employment contract and ongoing training, whereas other organisations have a heavy reliance on freelancers or subcontract staff where this is not so easy. Management of systems used by these groups also differs in its level of practicality; managing and controlling devices which are company supplied is one thing, but devices owned by a freelancer or subcontractor present a particular challenge.
And third we have technology and technical infrastructure. Every single business is unique in this aspect, so to this end there is no “out of the box” solution to understanding what risks your specific solutions and set-up pose. Whilst it is a key part of understanding your business, we would also advocate that increasing awareness amongst your staff should be front of mind when choosing how you approach cyber security.
Security is all about risk – appreciating it, understanding it, and reducing, mitigating or sometimes accepting it. Building confidence in your organisation and across all teams and departments is not something that should be left as a nice to have part of your cyber security approach. Investing in your people as well as technology and advice, will go a long way to ensuring you are as best protected as you can be from cyber threats.