Cyber Security: Is your company prepared?
A cyber security plan has been likened to a computer backup regime: something you only see the value of when things go wrong. Seriously wrong. In the second of our Cyber Security Awareness features for Cyber Security Month we look at the need for developing an effective Security Improvement Plan and discover that it really isn’t that difficult.
What is a Security Improvement Plan?
First, what exactly do we mean by a Security Improvement Plan? Think of it as an action plan for making your company more secure. By providing insights for staff it changes the complex, fast-changing world of security into something much more intuitive, accessible and understandable. It puts you in control of your security.
A competent security improvement plan helps to develop and constantly optimise security management as the risks in the field of cyber security are constantly changing. Good security improvement plans fit into overall company plans and procedures and rapidly become part of the overall corporate culture.
It’s important that the plan takes account of all security aspects – and potential vulnerabilities – within the company. That involves the processes, the technologies and – something that is often neglected – the people. The people? Yes, your staff are your greatest asset and can also be one of your greatest security risks. It’s important that you ensure that they are aware of those security risks, whether overt attacks by cyber criminals or breaches that result from poor processes.
Writing your Plan
The basis for most security implementation plans is ISO 27001. This is the only certifiable international standard that defines the requirements for an information security management system. The regular assessment process helps you to continuously improve your security.
Significantly ISO 27001 involves regular assessments, a process that helps continuously improve security throughout a business. ISO 27001 is also a sign to your suppliers, customers and the business world at large of your commitment to security. And certification is often mandatory in regard to major projects and contracts.
Your plan will probably begin with a security risk assessment where you will:
- Identify risks
- Analyse risks
- Evaluate risk
Then you’ll look at how you treat these risks and set performance indicators to measure progress across all aspects of your security. After that it will be a case of implementing the plan – and devising a strategy to do so and defining how you will monitor, report and update your business to the outcomes.
Writing – and implementing – a security implementation plan is not difficult but, particularly for the uninitiated, the process can seem daunting, particularly when you need to construct something that is both comprehensive and all-encompassing. It can be easy to neglect just one aspect, and that’s all a cyber-criminal would need to gain access to your systems, networks – and data. That’s where we can help.
We can devise a plan customised to your business and market sector that considers any standards or control frameworks that are applicable. We always use ISO 27001 as a baseline to implement a management system to design, implement, monitor, evaluate and adjust security measures but will also incorporate any relevant international and national standards such as:
- ISO 27002
- CobiT (for financial institutions)
- NIST Cybersecurity framework
- IT-security guidelines for web application from NCSC (IT service providers)
Your business may require you go further and look at other assessments such as:
We understand, however, that all companies and organisations are different. They all have their own unique needs when it comes to security. That’s why we like to precede every project by an informal discussion. With no obligation we will discuss your business, cyber security threats and the risks – both external and internal – you might be exposed to.
Don’t Overlook GDPR Compliance
It was the cyber security buzzword – or buzzwords – of 2018 but GDPR compliance is no less significant today. As you’re probably aware, the General Data Protection Regulation is something that any company that operates in the EU or provides equipment or services to companies there must comply. It’s something that most companies are familiar with, but fewer are successfully compliant. Lack of compliance can be costly – both in terms of substantial fines (with several high-profile companies having already been subject such penalties) and damage to reputations.
It’s therefore crucial that you organise your information privacy in a structural and transparent way. This is something else we can help with as part of a GDPR implementation plan.
Benefits of a GDPR implementation plan
- Quick insights into all your privacy risks
- Avoiding fines and reputation damage
- Preparation for the latest European privacy legislation
Download our datasheet on GDPR Product Device Testing to see if you could be at risk from GDPR noncompliance. Download the datasheet here.