How to create a cyber security strategy for your business
4 min read
Knowing how your business approaches cyber security is essential for the long-term success of your business. Sophisticated malware and Ransomware attacks continue to pose a threat to your hard earned cash and business continuity.
It’s not something you have to tackle blindly. You can and should partner with experts who can help you build a solid strategy.
In this post we’ll cover what’s needed in a good cyber security strategy and how to pull one together.
Why do we need a cyber security strategy?
Having a cyber security strategy is different to having an IT strategy. IT is the backbone of most businesses, so it needs thinking about separately to cyber security which presents its own concerns.
Setting up a firewall and leaving it to do its thing is no longer sufficient. Because of how widely IT is used in business you need buy-in from everyone. Not everyone knows exactly what threats are out there and their level of sophistication.
Your strategy will help to inform what you spend money on and when, as well as communicating regulations with your people.
How to assess where your needs are
The first thing to do is locate your vulnerabilities and ‘crown jewels’ – the things that require the most protection.
What data is most important to the business and how could it be accessed? Once you know what these things are, you can work backwards. You don’t need to worry about creating a full-on disaster relief plan yet – that’s what your strategy should include – but it will give you an idea of where to start.
It’s essentially a cyber risk assessment. One of the easiest ways of doing this is to take the UK Government Cyber Essentials course which most partners can run for you.
Some of the main things that should be protected at all costs are HR data and intellectual property. Both things appeal to cyber criminals who are looking for ways into your company or property they can steal or ransom.
The best thing to do at this stage is to get a good IT partner that understands your business and can help you decide which areas you need to protect.
What to include in your cyber security strategy
Whatever’s included in your strategy needs to be agreed upon from the top down. Everyone, from the board and executives to the end users in your staff teams, need to understand and buy in to the strategy, for it to be effective.
We’ll look at how to do that below. But first some ideas of areas to cover in your strategy.
- Regular testing
When are you going to test so that it causes the least disruption? And if a lot of your staff are working from home, how can they be involved in this?
- Remote working
With remote working and working from home becoming more popular, this needs to come with its own considerations. Rather than just supporting one site, you are now supporting multiple sites, all with different roles, environmental norms, and risks.
- Protection priorities
For most businesses the cyber security budget is finite. You need to decide what you’re protecting above all else and where budgets and individual responsibilities are delegated.
- Software
There are any number of software solutions out there. You need to pick a stack that works for you and stick with it. You also need to establish how often individual users need to interact with it. The best thing to do is partner with a firm who knows their stuff and can recommend what works for them.
We never recommend anything that we don’t already use. We recommend solutions like WatchGuard because from experience, we think they’re the best around.
How to get buy in from users
One thing we mentioned above is the importance of getting buy in from everyone who works at the company, especially everyday users.
This is not only because they usually present a risk to the safety of your business – sorry folks, it’s true! – but also because they are your workforce. If your strategy interferes with their ability to do their job, you aren’t going to get the results you’re after.
The best way to make sure they’re on board is to provide training that examines the risks and explains how they can be dealt with.
Some companies will use the threat of sanctions, to keep staff on their toes. We’re not sure that’s great for morale and would instead suggest you’re better off providing some form of incentive alongside regular training to help them make conscious decisions. Perhaps show how the lessons they learn here can be beneficial to all aspects of their life and give them the opportunity to make mistakes and learn from them.
Having a good intranet and sharing relevant information on it is also a good way of keeping people updated with changes and updates.
How long will a typical cyber security strategy last for?
When you’re putting this together, you’ll want to have some assurance that your efforts have been well spent.
How long a cyber security strategy is good for varies from business to business. Of course, some of the core principles should stay the same over a long period of time. But with threats changing all the time, it’s fair to say it will need reviewing.
It’s probably a good idea to have a monthly review to keep up with anything that may have emerged recently. The main thing is to stay in touch with your IT partner who will no doubt keep you informed, should anything major rear its ugly head.
Fortunately, with most current software, a lot of the updates are done automatically and at regular intervals.
Can you ever be 100% safe?
Ideally there would be a cyber security solution that guarantees the complete safety of your system. Unfortunately, no amount of strategizing and software is going to keep you 100% protected from cyber-attacks. It’s always possible that something could slip through the net.
There is always going to be an element of catching up to hackers who are constantly finding new ways to trick people. But (and this is a big but) you are dramatically decreasing the chances of this happening.
Most importantly you are protecting the data which is pivotal to the success of your business. If new threats emerge, new patches will be released, and your IT partner will be the first to know.
Having a strategy that acknowledges some level of risk and comes up with a proportionate response will mean downtime is kept to a minimum and business can continue to operate.
Need a partner who you can trust to put you in the best position? Get in touch.