Our own worst enemy

In the world of Cyber Security, we seem to be our own worst enemy. The risks can be reduced if we choose to act. Whilst employees are companies' biggest asset, in more ways than one we are also the biggest risk.

Over the past several years it has become clear that one can no longer simply "lock-down" networks and infrastructure to implement Cyber Security. Sure, you have to have firewalls and anti-virus software, but it is not nearly enough. Cyber Security is not another IT function - it starts with ownership from the Board of Directors and applies to all employees.

Many times cyber risks are simply not understood or taken seriously. There is still a belief that "it will not happen to us" or "we are not a bank, why would someone come after us?" The risks are very real and you can and should prepare.

A good starting point for how to approach Cyber Security is to look at the various frameworks, such as NIST or ISO 27001, that have been defined and that are still evolving. These frameworks provide a good structure for your approach and usually also provide cross-references to one another to help clarify concepts, processes and recommendations. The frameworks also provide scoring mechanisms to help understand your maturity levels. As you improve, the scores will hopefully improve as well. Scoring helps you compare yourself to other companies and to your wider industry, and is a major help when presenting the Cyber Security strategy, risks and roadmap to the Board of Directors.

From a technology perspective, you should at least have:

• Firewalls with IPS that can be monitored (and that actually block unauthorised access / are set up properly).
• Endpoint protection (not just anti-virus).
• Network segmentation to ensure that breaches are localised or contained.
• A dedicated Security Operations Centre (SOC) to monitor infrastructure events/activities across your network. 
• Policies, process and controls to ensure that the technology components are appropriately used, managed and governed.

You should also consider tools like Darktrace, investing in pro-active cyber intelligence, penetration testing and periodic independent assessments. 

Today it is no longer a case of "if", but a case of "when" a breach will occur. A major part of Cyber Security is being "ready" for this eventuality. You will need an Emergency Response plan that everyone in your organisation understands and that you have actually tested (at least once a year.) Such a plan will come into play when there is a high likelihood that sensitive or personal data, such as your internal personnel or your customer data has been accessed by unauthorised users, worse yet stolen, has been "misplaced" (temporarily or permanently) or inappropriately altered / destroyed (unauthorised or accidentally). Another emergency scenario would be ransomware - will you pay? Be sure to cover the regulatory requirements of for example GDPR, if applicable.

The biggest part of Cyber Security is still, however, employee awareness. Many employees have already had bad experiences in their personal lives related to Cyber Security. As a result, they are hungry for information and understand that awareness/training is a necessity. Every Awareness Campaign should cover topics such as what is hacking?, what is phishing?, what is malware/ransomware/ social engineering?, how to use the internet safely, and how and where they can get help when they have concerns/questions. In most cases, if something looks strange, it probably is something that should be double checked. People should be reminded at least once a year of the dangers and how they can help.

So be prepared, be vigilant, be ready!