According to Accenture, the number of leaders spending more than 20 percent of IT budgets on advanced technology investments has doubled in the last three years. Deciding where and how to spend that budget may feel like a daunting task, especially to an SME organisation.
Decide who will be responsible for your cyber security policies
- The board should have sight on threats to their organisation. Take a “ground truth” view of you organisations current cyber posture. View yourself through the lens of the hostile attacker.
- Even if you enlist another company, you still need someone within your firm to be the high-level decision maker, especially if there is a breach and action is required.
- Always plan, making sure you have the proper procedures in place is essential if you want to operate effectively.
- Define all staff members’ responsibility for cyber security, and make sure they know the consequences should they or your company fall victim to a cyber attack.
- Review your current policies regarding internet access (if you don’t have any, create some) for all company-owned devices. Ensure you have physical security for your office building, data center and staff, especially if employees travel home with company devices, or have been working from home extensively during lock down.
- You need to set password policies and encryptions for all data.
- Make sure you have decommissioning procedures in place. Have your IT department log all employees who own or lease company property.
Defence in Depth
Defence in Depth refers to a cyber security approach in which a series of security mechanisms and controls are thoughtfully layered throughout an organisation to protect it from hostile attacks. While no individual mitigation can stop all cyber threats, together they provide mitigations against a wide variety of threats while incorporating redundancy in the event one mechanism fails. When successful, this approach significantly bolsters protection against many attack vectors.
Like any business decision, you need to research and compare options before implementing cyber defences. A defence at depth approach will allow you to adopt a scalable bespoke solution for your organisations needs. Many third-party organisations provide cyber security, so the first step is to understand what services are available, and which best fit your specific business. Every organisation is different and therefore a bespoke pick and mix approach should be adopted to provide a robust cyber defence tool kit. The consequences of falling victim to a cyber attack will be detrimental to your organisation, including brand and reputation, and will result in financial loss. Depending on the type of attack this loss can be substantial. To ensure that your organisation is secure, it's crucial to balance the threat with the business's risk appetite and your skill set in-house before considering the appropriate technical controls or deciding what kind of external resources are needed to help support you. Considering these different elements will allow you to develop a cost-effective cyber security programme best suited for your organisation's needs and size.
What can you afford?
No business can predict when or how they will get a cyber threat, but they can fortify vulnerabilities and improve cyber hygiene in advance. Narrowing down the chance of being attacked will naturally reduce the need for event management, and all the associated costs. A cyber attack can make or break a company depending on how prepared they are. How much an organisation chooses to spend on cyber security should be an informed business decision, and will be unique to each company. When deciding budgets a question we should keep at the front of our minds is: Can we afford NOT to implement robust cyber security defences?