You already have strategies for umpteen parts of your enterprise. Now you should develop yet another strategy for cyber security? Only the biggest companies need one, and even then – that’s what you think. Unfortunately, many enterprises think the same as you do. A report, recently published by swissVR Monitor, says that only 35% Swiss enterprises have defined a cyber security strategy, by which we mean a long-term guidance that goes beyond specific situations, looking at a horizon of three to five years, and reviewed yearly. Here are the benefits that such a strategy can bring to your enterprise.
With every day, each of us becomes more dependent on digital technologies. This means enterprises, but also you and I, dear reader. Digital technologies, communication, infrastructures and systems are essential to most enterprises. Information and data must be always immediately and constantly available. Interconnected technologies and interfaces are also essential, for needs such as ordering materials, just-in-time production, online commerce, cloud services, IoT, cloud data centers etc. However, we need to take care, because all these technologies are exposed to cyber risks.
Of course, integrated planning and the usual cyber risks are found in almost every project plan. But is there a fundamental cyber strategy in place? What are the optimal controls for unexpected situations? What are the business expectations? What processes are in place in case of a security incident, such as e.g. hackers intruding some management system? Which of the technical and organisational interfaces are critical?
Make a list of all challenges
Here is a small list of current themes and cyber threats, which you should include in your strategy:
- Ransomware: still at the top of hackers’ list, ever more sophisticated.
- IoT: increasingly targets of attacks. In addition, the border between commercial and business solutions is becoming ever more blurred.
- DDoS (Distributed Denial of Service) attacks: Easy for a hacker to set up, always a popular first-line weapon.
- Costs of incidents: the cost of producing a cyber attack is going steadily down, and the number of incidents keeps growing. And the number of publicly announced security incidents is going to increase even more, because of the GDPR and the development of the national DSG (Data Protection Law) in Switzerland.
- Stolen data have a lively market: the reputation damage, and the media exposure, can be enormous and bring serious consequences.
What should you do, as an entrepreneur, with these issues? Of course, we believe that a cyber security strategy is unavoidable; you need to develop a strategy that addresses the security requirements and targets of your own business, and brings them into balance; this means that you will confront each group of issues separately, and address them with specific strategies.
A cyber security strategy has several advantages
…such as, for instance:
- You prove to your management that you have commitment, i.e. awareness and responsibility, towards cyber security.
- You develop cyber security culture at all levels, as well as transparency and overall understanding of cyber security risks.
- Management is involved with security risks; roles and tasks related to security are attributed and shared with well-defined duties, competences and responsibilities.
- There is accountability in all IT environments, and escalation lines are defined.
- Targets, resources, competences and security controls are oriented to a long-term strategic horizon.
- Management signs off strategies and takes related responsibilities; cyber security has a face, and possibly follows a business case.
- Cyber security is measured against good / best practices; a business case for a security programme can be drawn.
- Different situations can be reconducted to a comprehensive evaluation.
- Active contribution to strategic and operational risk management to address identified risks.
- Correct positioning and long-term orientation with respect to cyber security.
- Obtaining management support.
It is not by chance that strategies belong to management, and this applies to cyber security too. All stakeholders in your company expect management to get themselves busy with this theme, and that they gain a good understanding of the issues. This means that not only the strategy alone must be addressed, but also its implementation; and here, working side by side with internal specialists is almost unavoidable. This is the only way in which the complexity of the issues can be fully understood, expectations can be met, and the interested parties’ trust reinforced.
A cyber security strategy must be alive
You must always keep in mind that hackers become ever more professional. Attack vectors change all the time, and in the future attacks will increase in frequency and severity. And do not even think of writing a cyber security strategy just to say you have one, then print it out and leave it in your drawer to gather dust. It must be alive, people must abide by it, and you will regularly review and adapt it. A good strategy will contain elements of prevention, detection and reaction, and it will also consider restoration after a complete failure. To this end, we suggest using the NIST Cyber Security Framework as a starting point.
Do you need help to develop and implement your cyber security strategy? Or maybe you need advice from experienced consultants? With our comprehensive offering and wide experience, we understand our clients’ needs in full: including yours, for sure. Call us today, we shall be pleased to advise you!