Cybersecurity Solutions: best practise is common sense
With more than 98% of UK businesses and charities operating online, cybersecurity solutions are not something that can be ignored. Threats are becoming more sophisticated and harder to detect. Despite increased awareness of the dangers, 22% of charities in the UK reported that they’d suffered a data breach in the last year – costing them on average £9,470.
While measures such as the GDPR have encouraged organisations to look more closely at how they manage their data security, standards are falling well short of industry best practise. Of those polled in the Government’s Cyber Security Survey, a whopping 49% of Charity Directors said they were only updated on cyber security measures once a year, while only 27% of charity staff had taken IT securitytraining in the last year. Meanwhile, only 53% of charities had taken action on 5 or more of the Governments 10 step pathway to Cyber Security.
While these statistics make alarming reading (especially given the amount of personal data that charities hold), they are also indicative of prevailing difficulties organisations face when developing IT security policy. It’s common for business to start and stop, unable to see the wood for trees. That however, does not need to be the case. Much of what IT security solutions companies offer is down to common sense and consistency. So, if you’re struggling to get going, these 5 tips will get you heading in the right direction.
Prioritise your information
Cybersecurity solutions revolve around protecting your information. Focus on your information first rather than the technology you’ll use to protect it and you will have a solid base to start from.
We always recommend a framework that keeps your information confidential, protects its integrity and manages its availability. The CIA triad, as it is known, is robust and lends itself to iterative and constant improvement. So, in practise, you encrypt your information to make it secure, grant access only to those that need it, and maintain its integrity by checking that it hasn’t been corrupted in any way.
“What makes the CIA triad work is the playoff between the three components,” says Nutbourne’s Technical Director Patrick Burgess. “For example you can’t have total confidentially because people need access; and for the information to be useful you need to maintain its integrity, and the best way to do that is to protect it and undertake a network security audit.”
“Essentially, when you optimise one aspect of the three you are led naturally to ask questions of the other two and are able to make constant improvements.”
Are you compliant?
There are several laws governing the use and misuse of data by organisations, butbeing compliant isn’t as complicated as it might sound. There are a number of standards available such as the various ISOs, Cyber Essentials and PCI, which if implemented correctly will help ensure you are complaint with the various laws. Although the standards themselves aren’t legally binding, its important they are maintained and embedded if you intend to use them to demonstrate your compliance.
“If, for example, you commit to Cyber Essentials it is not just something you get a badge for and forget about,” says Patrick. “If you suffer a data breach and you’re found to not be compliant with the compliances you have chosen, then you open yourself up to potential damages.
“It’s worth remembering that there is nothing in an information security management system (ISMS) that says you can’t make mistakes. But what you should be doing is using your ISMS to identify things that have gone wrong or need improvement and fixing them. You can't ever be perfect. It's not possible.”
Prevent rather than cure
Cyber threats, like the rest of the technological world, grow and evolve, often at a pace that is hard to keep up with. To that end, we always recommend that organisations look to make small, continuous and consistent improvements to their security policies, processes and practices.
Again, this is actually relatively simple and often boils down to common sense. If you commit to the basic principles ‘secure, enforce, monitor and improve’, you will foster systems, processes and procedures that readily identify and mitigate risk, and move your IT security away from the ‘break-fix’ model.
“Bear in mind that you don't have to fix all the risks yourself,’ Patrick says. “Some of the risks you can pass to a third-party cybersecurity solutionsspecialist if you don’t have capacity to handle them, or if appropriate to an insurance company if you can’t afford to take the necessary steps to mitigate them. Taking this approach gives you peace of mind and can reduce the to do list”.
Make life simple for yourself
Fine tuning your IT compliance or giving it an overhaul can be a daunting task, especially if you’re unfamiliar with the process. It can be hard to see the wood for the trees. Network audit companies traditionally follow one of two approaches, which keeps matters simple and allows you to concentrate on the day job.
The first option, if you require something very custom, is to bring it in-house and build your bespoke information and compliance structure. The benefit to this is that you manage the entire process and have full ownership from the bottom up, however it is critically important in this scenario to get regular oversite and auditing from a respected and independent source. Its very easy to get lost down the rabbit hole when you own the entire process and you can fail to see the big picture.
Alternatively, and this is becoming increasingly comment, you can bring in an external party to oversite the structure and compliance. Commonly this can be customised for you, allowing the provider to do all the work in and provide best practice knowledge.
Whatever you choose, make sure that your information adheres to the CIA triad.
React quickly to data breaches
Most organisations hold a lot of personal data – charities especially, given the nature of how they raise and receive money from the public. This makes them particularly accountable as far as the GDPR laws are concerned. As such,
data breaches need to be reported to the Information Commission Office (ICO) at all times. That could be anything from a ransomware attack to full-blown data theft. If your data has been compromised the ICO need to know and you need to take restorative measures. This is why a network security audit is so imperative.
“It’s important to remember, the ICO aren’t out to get you,” Patrick says. “If you have the right policies in place and are able to let the right people know and talk to the right people to recover your data, it will reflect well on you. The companies that have recently suffered data breaches and come out well have told authorities early and communicated to those affected quickly.
“If you have a policy in place to deal with breaches, a plan to manage and mitigate risks and a plan for constant improvement then you will be able to manage data breaches effectively and be able to demonstrate that you weren’t negligent – which is very important in the eyes of the ICO.”
So, if you’d like to find out more about Nutbourne’s cybersecurity solutions, onsite IT support and cloud services, then get in touch today.