So, you have a single clear aim: to ensure the best possible security for your organisation. It sounds easy, doesn’t it? The reality, however, is much more complex. Nowadays, cyber-crime is unfortunately an everyday occurrence. The degree to which Swiss companies have found themselves under attack has risen significantly and is likely to increase still further over the coming year. No organisation can consider itself safe – including your own. However, to ensure you enjoy the best possible level of defence, and to bring your cyber security measures in line with the latest standards, InfoGuard has drafted this “Cyber Security Guide” for managers like you. In this article, you’ll discover the steps you need to take in order to implement successful cyber security management – and the particular steps you should ideally start with right now...
We have set ourselves the goal of providing all those responsible for cyber security with the best possible support for their daily activities. In fact, we’ve gone so far as to make your life so simple that you can get back to concentrating on only the most essential matters. You can do this with the help of our handy guide, which outlines a master plan for maximum cyber security. It consists of a nine-point plan developed by us and that we will be presenting over the course of a three-part series of blogs during the coming weeks. Anyway, let’s get down to business. We’ll start with the first three points:
1. Bringing senior managers on board
There’s probably no organisation in the world that doesn’t digitally depict its business processes in one form or other. Why? Because of the need to document the processes and background issues involved. It’s essential that you are familiar with and understand your business’s legal situation and the associated security standards and IT compliance requirements. Only by gaining such an awareness of the these requirements can you reduce – or even avoid – the likely risks. Even so, it’s worth remembering one thing: that there’s no such thing as absolute security, or in other words, absolute protection from cyber-attacks.
What’s more, a variety of additional laws, standards and principles will apply alongside any industry-specific guidelines, such as those for financial institutions and healthcare providers, not to mention current security standards including ISO 27001, the NIST Cyber Security Framework and the BSI “IT-Baseline Protection” methodology. Specific regulations to be considered include the following:
- The Swiss Data Protection Act
- Regulations for specific sectors, such as FINMA, PCI DSS, HIPAA, and so forth
- IT Security Act
- The EU’s Directive on Security of Network and Information Systems, which includes a reporting obligation for operators of critical infrastructures and large online service providers
2. Bringing senior managers on board
In the second stage of the process, it’s important that you secure comprehensive and appropriate support for your plan. In other words, as the person responsible for security, you need to get senior management – right up to director or chief officer level – on board and involved with the issue of cyber security. This is the basis for efficient cyber security management. It’s therefore vital that you convince senior executives of the importance and value of cyber security. Our experience shows that inadequate understanding of the importance of the topic and insufficient support from the management team can be – and often is – one the main reasons for a failure in cyber security policies.
You should therefore ask yourself the following questions. Do you have the support of your directors and managers? Are your senior managers fully aware and – importantly – also involved in the cyber security process? If not, then you know what to do. If the answer is yes, then let’s move straight to the next point.
3. Gaining awareness of your particular risks
How sure are you that you’re secure? After all, risks can be present anywhere – yes, absolutely anywhere. The plus side of this is that most organisations are aware of this fact and will have developed a risk management policy. This represents an essential component of your information security management system or ISMS. The aim here is to help you enhance your levels of security, thereby reducing risks and fulfilling compliance requirements. Here are some of the aspects to cover:
- Logging and evaluation of all assets within the field of application
- IT risk management focused on specific defensive goals
- Assessment built around the threats, the weaknesses and the adequacy of the measures adopted
- ... and more besides.
Your internal control system (ICS) represents another important management tool within your organisation. Indeed, it’s worth remembering the following maxim: that while trust is good, control is even better. An effective ICS involves recognising all potential risks associated with your operational business processes and defining the associated control mechanisms. The goal will always be to reduce the greatest risks to an absolute minimum. To find out about the best ways of doing this, consult our “Cyber Security Guide”.
The guide will inform you of the ways in which such a tool can make your work easier, which laws you need to be aware of, and the reasons why it’s important to get senior management on board (and how you can do this). In the next two blog articles, we’ll also introduce the remaining six steps of our nine-point master plan. A good motto to remember, then, is to “Stay alert – for security’s sake!"
Available here – your free-of-charge Cyber Security Guide
Interested to find out more? Then download our guide right away and start developing or implementing your cyber security strategy. Here is the link for downloading our “Cyber Security Guide”: