Cyber security is a constantly evolving field with no easy quick fix. News headlines attest to the fact that big businesses are far from infallible, however as multinationals put more resources into security and breach prevention, cyber criminals are increasingly diverting their activity towards the mid-sized enterprise as a softer target.
So, as a business owner or IT leader, how do you know where to start improving critical security controls?
A crucial first step in any programme of cyber improvement is to seek to understand and review the threat-prone parts of your business and the intrinsic risks your organisation faces, at a ‘macro’ level.
Here however, we aren’t talking about risks like ransomware, or phishing emails, but rather gaining a deep understanding of the vulnerability areas and risk to the inherent value and core functions of your business.
There are 3 major risk areas to consider:
1. What does your business footprint look like?
2. What are your most critical and valuable business assets?
3. What would a hacker find most valuable?
Risk identification determines relevant threats to your specific organisation and the likely impact of those vulnerabilities if exploited. This will help make a more informed decision about security – from allocating the right resources, processes, technologies and applying the appropriate level of security controls to prevent data falling into the wrong hands.
Your Individual Business Footprint
Two seemingly identical businesses may actually be very different. A business may transact 100% online, direct with consumers. While another may use distribution, via a network of 3rd-party vendors. Whether you are a bricks and mortar enterprise, operate entirely digitally or a combination between these two extremes, you should consider your full spectrum business presence:
- Location & People: Where are you physically located, how many offices and where do your employees operate from?
- Business Environment: Is you industry highly regulated? What compliance standards must you adhere to?
- Competition: Are you a high growth start-up or an established business? Market-leader or fast follower?
- Physical Assets: Do you have high value assets or use high value materials? Control of our physical assets will also rely on digital information to enforce security processes.
- Digital Footprint: What and where are your digital assets? Think about your company information and reputation - your digital behaviour and trail on social media and the web.
Understand the value of your most critical assets
Information is often the most valuable asset to a business. Physical assets are easy to account for, digital assets are less tangible but are becoming increasingly more valuable. Depending on your industry, certain types of data has regulatory standards and must be protected by law.
What data is mission-critical to your business?
Personal information like bank account numbers or health records are easily monetised in the criminal market. What about your organisation’s financial data? Intellectual property, which defines and distinguishes you from your competitors? Cyber criminals are highly motivated, highly resourced and operated within an industrialised network, so understanding and accounting for your assets is vital for knowing how to protect them.
Performing regular audits on your physical and digital assets and anything that is essential to core operations will allow you to prioritise how you protect them, rather than applying an expensive and ineffective blanket approach.
Quantify potential threats – know your likely attackers
Having identified the most important things you’re trying to protect – the core value, assets and key business functions of your organisation – it is now also important to consider who might be attacking you. Who might want to steal your data, make it inaccessible, alter it or wish to disrupt your operations? Consider your business from an attacker’s perspective:
What is most valuable to an attacker?
What are their typical attack methods?
Hackers have a lot to gain from a successful breach. Certain types of businesses will be more likely to be hit by a certain type of criminal. A mid-sized law firm will attract a different sort of hacker versus an online currency exchange business or a human-rights charity. The size, profile and nature of your business will influence the likelihood of different types of cyber criminals targeting you. By understanding their motivations, personas and objectives, you will have a clear idea of how, where and why they would attack your specific business.
Know your Risk Profile to #getcybersecure
Without knowing your risk profile, you could waste time, effort and money implementing measures to defend against events that are unlikely to occur or won’t have much material impact on your organisation. Likewise, it is possible to underestimate or overlook risks that could cause significant damage.
By taking the time to identify and understand the realistic risks and current threat exposure specific to your business, you’re well on your way to building the foundation of a prioritised and effective on-going security strategy to measurably reduce risk and keep your business from being the next cyber security headline.
- 6 Steps to a successful cyber security improvement programme
- Types of penetration test: What's the difference?
- Cyber essentials vs cyber essentials plus: What's the difference?
- Human Hacking: A guide to social engineering
- INFOGRAPHIC: Malware examples: What are the different types?
About Comtact Ltd.
Comtact Ltd. is a government-approved Cyber Security and IT Managed Service Provider, supporting clients 24/7 from our ISO27001-accredited UK Security Operations Centre (SOC).
Located at the heart of a high security, controlled-access Tier 3 data centre, Comtact's state-of-the-art UK Cyber Defence Centre (SOC) targets, hunts & disrupts hacker behaviour, as part of a multi-layered security defence, to help secure some of the UK's leading organisations.