With nearly a third of companies now falling victim to cyber-attacks, organisations know they need to invest in adequate defences. But they don’t always have a big budget to do this. The good news is there are several options for businesses that need to be efficient and make the most of what they already have. Here, Richard Nelson, senior technical consultant at Probrand, considers how businesses can guard against the risk of security threats without breaking the bank.
Maximising cyber security ROI
Creating a robust cyber strategy for the unique needs of your business is vital to ensure you are focusing your attention on what’s most significant. You should start by identifying the purpose and goals of your organisation.
For example, if you are a food manufacturer, your purpose may be to supply supermarkets with pre-packaged sandwiches, and your goal is to produce 200,000 packages per day. If that processing facility was to go offline for one day due to an attack, what would be the impact of failing to produce those sandwiches be? This might include a revenue loss of £100,000 per day, reputational damage, legal fees and the potential for retailers to exercise contract break clauses.
By imagining your worst day, you can start to get a clearer picture of what systems are critical to business operations and what downtime you can afford. This will help you to identify where investment and resources are most needed.
Protecting your key assets
The next step is to understand if the defences you have in place currently can adequately protect critical systems, networks and data. To really put this to the test, consider using an internal or external security team to attack those systems then record what happens. You’ll want to know:
- How you identified the attacks?
- What contained or eradicated the attacks?
- What was the response / aftermath?
This exercise can reveal your strengths and weaknesses, when it comes to the technologies, people and processes you have in place to protect the business.
Technologies – Learnings from these types of exercises nearly always reveals ways to optimise existing tools and technologies and operate more efficiently. For example, you may discover you have duplicate tools and there is an opportunity to cancel contracts and reinvest. In addition, there may be underutilised native security settings you could be taking greater advantage of – such as a built-in email filter to protect against spam and phishing emails.
You may find software updates and patches are not up-to-date. This is easy win to prevent vulnerabilities as many of these can be automated. It may also be that configuration improvements can help fill any gaps or weaknesses you may have identified.
People – Implementing measures that encourages staff to adopt a ‘zero trust’ mindset will help to minimises the chance of an attack being successful. There are several low-cost activities businesses can take to create this strong security culture.
Much like you would review the tools and technologies in your organisation, it is well worth spending time to review what skills exist within the security and IT teams, as well as the wider business. Are there opportunities to spread knowledge and cross train staff? Knowhow can be shared in many ways. This may be through lunch and learn events or more formal training and simulations. This does not need to be expensive. There are also a number of free resources available including Dracoeye which can be used by teams to search and identify any security threats.
In addition to training, organisations need to focus on creating a culture where staff are encouraged to report suspicious activity without fear of “getting it wrong.” To aid this, consider using a dedicated portal where staff can share any issues and where anything immediately dangerous can be escalated. The worst scenario is where staff are too afraid to say anything. You want people to feel they are in an environment where they can speak up without fear or repercussion.
Processes – Finally, it’s important to look at the processes and solutions you have in place if the worst should happen. This is all about planning. It’s about knowing how each part of the business will keep functioning until a clean-up can be carried out. Do you understand what your legal obligations are in terms of informing customers? Depending on the nature of the breach, you may also need to inform authorities like the Information Commissioner's Office (ICO). Staff will always feel better if they know there is a playbook and a plan for each scenario.
By following these steps, businesses can make more of what they have and identify opportunities to redistribute budgets and make immediate savings. The biggest victory however is having an effective cyber strategy that the businesses is confident in. This will vastly reduce the risk of financial and reputable damage and allow the business to continue to deliver on its goals.