The foundations of your cyber security strategy have already been outlined in Part 1 of our Guide. This second part deals with implementation. In concrete terms, this will involve questions like: What objectives do you need to set yourselves? What features characterise an effective cyber security strategy? And why is it worth seeking certification for your business’s internal ISMS (information security management system)? All of these issues and more are covered in this, the second section of our Cyber Security Guide.
“Cyber attacks on our company? You’re kidding – we’re of no interest to hackers. Why would they bother with us?” We hear phrases like this again and again. Unfortunately, however, they reflect a misunderstanding of the facts. This is because very often cyber criminals specifically target smaller businesses employing fewer than 1,000 people. Do you know why? Because such companies are the very ones that are not (yet) sufficiently aware concerning matters of information security. This, in turn, means more opportunities for hackers to attack. What’s more, unprotected systems represent the ideal target for cyber criminals, as they are very easy to manipulate in such as way that they form part of a massive cluster of systems in conjunction with those of other organisations. Together, they can then be used to carry out a large-scale distributed attack.
The four features of an effective cyber security strategy
These are the reasons why it’s vital for that your business protects its information and sets meaningful cyber security goals. What, you might be wondering, will these involve? Allow us to put you on the right track. A clearly devised cyber security strategy will necessarily include the following four elements:
- The setting of goals and priorities
- The definition of potential threat scenarios
- The identification of potential damage
- The establishment and comparison of options for action
Getting down to business: cyber security implementation
You’ve set your objectives so let’s start with the details of executing them. An ISMS (information security management system) provides the framework for ensuring information security in your organisation. While there are, of course, a variety of guidelines in existence, we recommend to all our clients the ISO/IEC 27001 standard or the NIST Cyber Security Framework (CSF). There are all sorts of reasons why it makes sense to certify your internal ISMS. Elements common to all frameworks, however, include the following:
- A systematic approach to security, rather than “security by obscurity”
- Design and documentation of the security architecture and definition of policies and specifications, ISMS-focused measures, combined with regular checks on and optimisation of security, including data protection management
- Establishment of comprehensive risk management systems and processes based on the GCR (governance – risk – compliance) formula
- Implementation of the “need to know” principle
- Development of an SLA management system based on operational specifications
- Definition of an emergency management system and corresponding recovery startup procedures
- Targeted training and security awareness building for employees with regard to risks and appropriate everyday behaviour
Once you have decided on a framework, there’s nothing to stop you implementing it successfully.
Implementing information security in your business
It’s worth mentioning one piece of advice up front: actively involve your directors or senior managers in your certification plans. Our experience shows, in fact, that a management system for information security only becomes effective if everyone in the business is on board. In addition, it’s also vital to think through the following issues and identify corresponding actions:
- What security measures are already in place? So as to minimise the impact on resources and expenditure, we would advise you to use these existing resources as the basis and to continue working with them. This can help you to limit implementation costs.
- Devise policies, as your security policies will play a key role in your overall security measures. This is why it’s crucial to formulate these guidelines so that they are practicable, precise and easy to understand. A useful motto here is “Think big, do small”.
- Consider the organisational profile of your own specific business.
- Make your ISMS part of your daily activities! The ISMS should – in fact, must – form a central element of your organisation’s activities not just on paper, but in the minds of all your employees.
The advantages of certification
Not yet sure about the whole thing? If so, we’d be happy to help – and to show you the benefits certification can bring for you and your business, including:
- Compliance with statutory and contractual obligations
- Appropriate and sustainable support for the availability, confidentiality and integrity of information
- An informed approach to handling risks and minimising potential hazards
- ... and much more besides.
Available here – your free-of-charge Cyber Security Guide
You can find the complete list of all benefits in our Cyber Security Guide white paper. This also lists the final three points of our master plan for maximum cyber security. Have we convinced you? And are you keen to get started on implementing your strategy now? Then download our complete Cyber Security Guide right away and start developing or implementing your cyber security strategy without delay.
You can download your free-of-charge Cyber Security Guide here: