Cyber security is a constantly evolving field with no easy quick fix. News headlines attest to the fact that big businesses are far from infallible. However, as multinationals put more resources into security and breach prevention, cybercriminals are increasingly diverting their activity towards the mid-sized enterprise as a softer target.
So, as a business owner or IT leader, how do you know where to start improving critical security controls?
A crucial first step in any programme of cyber improvement is to seek to understand and review the threat-prone parts of your business and the intrinsic risks your organisation faces, at a ‘macro’ level.
Here, however, we aren’t talking about risks like ransomware or phishing emails but rather gaining a deep understanding of the vulnerability areas and risks to your business's inherent value and core functions.
1. What does your business footprint look like?
2. What are your most critical and valuable business assets?
3. What would a hacker find most valuable?
Risk identification determines relevant threats to your specific organisation and the likely impact of those vulnerabilities if exploited. This will help you make a more informed decision about security, including allocating the right resources, processes, and technologies and applying the appropriate level of security controls to prevent data from falling into the wrong hands.
Two seemingly identical businesses may be very different. A company may transact 100% online, directly with consumers. Another may use distribution via a network of 3rd-party vendors. Whether you are a bricks-and-mortar enterprise, operate entirely digitally or a combination of these two extremes, you should consider your full spectrum business presence:
Information is often a business's most valuable asset. Physical assets are easy to account for, and digital assets are less tangible but increasingly useful. Certain data types have regulatory standards and must be protected by law, depending on your industry.
What Data Is Mission-Critical to Your Business?
Personal information like bank account numbers or health records is easily monetised in the criminal market. What about your organisation’s financial data? Intellectual property, which defines and distinguishes you from your competitors? Cyber criminals are highly motivated and resourced and operate within an industrialised network, so understanding and accounting for your assets is vital for knowing how to protect them.
Performing regular audits on your physical and digital assets and anything essential to core operations will allow you to prioritise how you protect them, rather than applying an expensive and ineffective blanket approach.
Having identified the most important things you’re trying to protect – the core value, assets and key business functions of your organisation – it is now also important to consider who might be attacking you. Who might want to steal your data, make it inaccessible, alter it or wish to disrupt your operations? Consider your business from an attacker’s perspective:
What is most valuable to an attacker?
What are their typical attack methods?
Hackers have a lot to gain from a successful breach. Certain types of businesses will be more likely to be hit by a certain kind of criminal. A mid-sized law firm will attract a different sort of hacker than an online currency exchange business or a human-rights charity. Your business's size, profile and nature will influence the likelihood of various cyber criminals targeting you. By understanding their motivations, personas and objectives, you will have a clear idea of how, where and why they would attack your specific business.
Without knowing your risk profile, you could waste time, effort and money implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation. Likewise, it is possible to underestimate or overlook risks that could cause significant damage.
By taking the time to identify and understand the realistic risks and current threat exposure specific to your business, you’re well on your way to building the foundation of a prioritised and effective ongoing security strategy to measurably reduce risk and keep your business from being the next cyber security headline.