With cyber threats now more ubiquitous than ever, investing in cyber security is crucial in order to protect both businesses and customers. This does not just mean investing in technology, but also in the people and processes that drive this forward and this must be appropriately planned, designed and implemented.
Surprisingly, despite more than 50% of businesses acknowledging that the protection of company data is their top reason for investing in cyber security, over a third are not confident in their ability to protect that data .
This uncertainty is concerning, and suggests that some businesses are investing ‘blindly’ in cyber security. This idea derives from businesses investing in products without a proper understanding of their security weaknesses, which often renders the investment ineffective, or they are improperly configured, which can provide a false level of assurance.
As the demands upon businesses to invest in this space increase, it is important to recognise that investment does not have to always be financial, though it should be carefully considered and linked to the risk appetite of the business. Investments, both in financial terms and effort, which are not tied into other activities, can work independently for a short period of time, but tying these investments into wider initiatives will provide a greater degree of holistic protection to the business.
Utilising industry standards such as the NIST Cybersecurity Framework allows an organisation to assess its current and future security needs through a consistent risk language. Established by the US government, the NIST framework prioritises identifying, protecting, detecting, responding and recovering from cyber threats and events, and is a useful model for businesses to follow when enhancing their security posture. But if this investment is not based on thorough research, and driven by the business need to de-risk the organisation it is impossible to properly address any of the pillars of this framework.
Alongside thorough research and evidence, investment should also be based on the specific risk profile and nuances of the business, and the first step in identifying this is gaining an understanding of what the risk profile and threat landscape to the organisation is.
Ideally, it is best to start with a consultancy-led threat assessment to determine your true security posture, as well as the risks and threats to peers and competitors in your, or similar industries. You can then identify potential attackers, as well as the data they want, and how they would enact damage or steal data or information. With this insight, you will be forewarned and forearmed to better protect your business.
The output of these exercises provides a strong baseline to work with and develop a cyber strategy, taking into account the people, process and technology and the through-life risk management of any third parties enabling stronger cyber governance. In most instances, the hardest thing to change in an organisation is the culture, and although the focus on technological solutions is important, it must be considered alongside people and processes as well. It is also important to not just focus on the future-proofing, but to also protect legacy equipment, as these often take more time and effort to defend.
Giving clear recommendations on worthwhile investment will support businesses in implementing improvements while making them better protected. Ultimately, this means that the customers, and client base, are best served, while protecting the brand and customer loyalty.
By Frank Morris, Global Risk Management and Governance Director, NCC Group