How to build an effective cyber security strategy

What is a cyber security strategy?

A cyber security strategy is a business level plan for how your organisation will protect its assets. This plan must assess the level of cyber risk your organisation is exposed to and define the defensive measures your organisation will put in place in order to effectively protect your assets from said cyber risk.

Common misconceptions

There are two main misconceptions when it comes to building a cyber security strategy:

1. Cyber security is limited to technical measures
2. Cyber security is an IT department issue

Historically cyber security extended to firewalls and email filters, however over the past two decades, cyber threats have become increasingly sophisticated, to the extent that organisations must now defend itself across three key pillars of cyber security; People, Process and Technology. Technical measures only make up one third of an effective cyber security strategy.

One of the other components of an effective cyber security strategy is People. When we say people, we mean all of your people, not just the IT team. No matter the level of cyber defences you put in place, no cyber security strategy is 100% effective, the odd sneaky phishing email will always make its way through to the end user. This could be anyone from a receptionist to the CEO. Everyone within your organisation needs to have a cyber safety mindset, especially when their roles require continuous computer use.

So, when constructing your organisation’s cyber security strategy ensure that it covers the three pillars, and that the whole organisation is accounted for, not just technology, not just your IT team.

The three pillars

For a cyber security strategy to be effective, measures should be put in place to address the three pillars: People, Process and Technology.

As discussed in our What is Cyber Security? article, a blend of measures from all three pillars will create the most effective cyber security strategy. Failing to implement measures from one of the pillars will leave a gap in your defences that cyber criminals could exploit.

People

It is important that all people within your organisation have a cyber aware mindset and are continuously looking for the red flags of a cyber attack. Using a Cyber Safety Awareness & Phishing simulation platform will continuously train and test your users to ensure they are aware of what to look out for when it comes to cyber risks in their day-to-day activities such as phishing emails, suspicious devices and unauthorised visitors. Ensuring your people are trained and aware of the cyber risks they may face is an increasingly vital component of an effective cyber security strategy.

Process

Processes are almost as old as business itself. A robust and well followed process will allow businesses to gain visibility, efficiency and flexibility in the way that they work. An effective cyber security strategy is underpinned by sound information security processes and policies. While many operational processes defined within an organisation are often aligned to a specific business or industry, there are widely accepted general standards when it comes to cyber security or information security.  By gaining external validation through a recognised standard such as Cyber Essentials or ISO27001, it makes it easier for organisations to validate that the information security processes and policies in place are effective.  Moreover, a certified organisation is able to demonstrate to its customers and other external stakeholders that their data is being secured in accordance with best practice.

Technology

Surprising to some, technology measures only make up one third of an effective cyber security strategy. While this pillar requires the most investment, it can be rendered redundant if an employee clicks on phishing email, or sends money to a spoof account, or sound processes aren’t being followed.

Norm. recommends that for the most effective technological defence a business should implement each of the following:

Threat Detection and Response (TDR)

Vulnerability Management

Email Threat Prevention

Regular Penetration Testing

This is to give you the best possible chance of identifying and repelling a cyber attack. TDR gives you the real-time monitoring, with alerts that tell you of suspicious behaviour. A good TDR service would also give you the ability to rely on experts within a 24×7 eyes on screen Security Operations Centre, who are able to constantly monitor and triage the hundreds of alerts generated by your organisation each day. This allows your IT team to rest assured that even when they clock off at 6pm, someone is keeping your organisation safe.

Vulnerability management allows you to continuously scan your network for known vulnerabilities. This is similar to going round your house before you go on holiday to check the windows and doors are locked. But with a vulnerability scanning service, it continuously scans your environment to make sure those gaps are identified, and once identified remediation activities, such as patching, are applied as soon as possible.

Email Threat Prevention allows you to block potentially malicious emails to your end users. Whilst we are training our users in the people pillar measures, we also want to reduce the risk of them having to deal with a real phishing email as much as possible. A robust email threat prevention service will allow you to reduce the number of true threats that actually land with your end users.

Penetration Testing is a point in time test whereby ethical hackers, act like a real hacker, and safely exploit any vulnerabilities, be those technical, physical or people, discovered within your environment. A good service will provide a report of the vulnerabilities and assist in the remediation of said vulnerabilities.

For the most effective cyber security strategy all of the above measures across the three pillars of People, Process and Technology should be adopted to provide the most robust defence.

Reacting efficiently

On top of having the adequate measures in place it is also key to react efficiently if/when a cyber attack occurs. You’ll notice that none of the above measures will prevent a cybercriminal from targeting and attempting an attack on your business. There is simply nothing we can do to stop that. But what we can do is make it easy to detect and as hard as possible for them to succeed. In order for that to be the case, not only do we need to have the aforementioned measures in place, but we also need to have the resource available to react efficiently.

The longer an alert, or attack in general is left, the further the attacker can reach into our environment and potentially steal assets/lock systems. Having access to cyber security experts, supported by the latest Enterprise grade tools and global Threat Intelligence, that can immediately identify, analyse and respond to alerts, either by notifying the customer or isolating the impacted asset, provides an organisation with the peace of mind, that whilst an attack may still occur the business is prepared to respond and repel in the shortest possible timeframe, day or night.   

You can hire in cyber security experts to provide assistance, but in today’s job market, they are hard to come by, and even harder to retain. As mentioned earlier, a good TDR service will come supported by a 24×7 Security Operations Centre. This should be made up of a team of cyber security analysts whose full-time job is to sit and monitor alarms and alerts across many industry verticals with businesses located globally, who are able to recognise potential threats, often before an attack becomes apparent to the organisation. Some ‘Security Operations Centres’ aren’t manned full time; they rely on systems to do the work. It is important that you seek support from a fully-manned Security Operations Centre for the best possible protection and service.

Company wide approach

The last point to remember about your cyber security strategy is that it should be a company-wide approach. Historically, cyber security has been seen as a technology solution, and therefore has been made the responsibility of the IT team. However, as we’ve discussed above, people, process and technology make up an effective cyber security strategy. Therefore, your entire organisation should have a cyber aware attitude. It is a Board’s responsibility to ensure data breaches don’t happen, it is a management responsibility to ensure systems are in place and it is everyone’s responsibility to know the dangers and follow the correct processes.