Cyber Security: Essential principles to secure your organisation

INTRODUCTION

The cyber security landscape is complex and constantly changing. Organisations large and small experience attacks every day, from simple phishing emails to intricate, detailed operations masterminded by criminal gangs, and for every vulnerability fixed, another pops up, ripe for exploitation.

Given the frequency of large-scale data breaches and cyber attacks in the news, you could be forgiven for thinking that it’s impossible to defend your organisation against the predations of cyber attackers – after all, if massive multinationals can’t stay secure, what hope is there for SMEs?

The answer is: more than you think. Cyber security doesn’t have to cost vast amounts of money or take a short ice age to implement. No matter the size of your organisation, improving cyber security helps protect your data and that of your clients, improving business relations and opening the door to new opportunities.

This pocket guide will take you through the essentials of cyber security – the principles that underpin it, vulnerabilities and threats and the attackers who use them, and how to defend against them – so you can develop a cyber security programme for your organisation with confidence.

CHAPTER 1: INFORMATION SECURITY AND CYBER SECURITY

The terms ‘information security’ and ‘cyber security’ are often used interchangeably, when in fact they refer to different (albeit related) things.

Information security is concerned with ensuring the confidentiality, integrity and availability (C, I and A) of all information held by an organisation, irrespective of whether the information is electronic or in hard-copy format. As a result, information security generally involves considering physical and environmental controls alongside technological ones (lockable filing cabinets, key-code doors, etc.).

Cyber security is a subset of information security and is concerned with the same things, but where information security takes a generalist approach, cyber security focuses specifically on electronic information (including the physical aspects of defending that information). New cyber risks emerge almost daily, and the successful organisation must do all it can to stay ahead of the curve.

Laws, regulations and contracts

The days of cyber security as an afterthought are long past. Today’s organisations collect, use and store more information than ever before, and the global regulatory system is beginning to catch up.

The introduction of the EU General Data Protection Regulation (GDPR) in 2018 marked a major milestone for data protection and privacy laws across the globe. Most of us remember the flood of ‘we need your consent’ emails that arrived in our inboxes in the days leading up to (and after) the GDPR took effect, but those emails were only the tip of the iceberg.

The GDPR places a wide range of security and privacy obligations on organisations that process EU residents’ data and is supported by a regime of significant financial penalties (up to 4% of annual turnover or €20 million, whichever is greater). The Regulation also requires organisations based outside of the EU that process data on EU residents to appoint an EU representative, extending the reach of those obligations and penalties far beyond the EU’s physical borders.

Another law that may be relevant is the Directive on security of network and information systems (NIS Directive). This places specific cyber security and business continuity obligations on digital service providers and operators of essential services such as power and water, with a view to mitigating the disruption that could occur as the result of a major cyber security incident.

While many organisations still grapple with the GDPR and NIS Directive, new laws such as the California Consumer Privacy Act (CCPA) or the Brazilian General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais) are being introduced around the world, and further legislation is expected in the coming years. The increasing regulatory focus on data protection, privacy and continuity of key services inevitably leads to a greater focus on cyber security, as so much of the information held by organisations is in electronic formats, and the majority of essential services rely on electronic infrastructure.

It’s not just laws that mandate effective cyber security. Cyber security obligations in contracts are increasingly common, as organisations begin to recognise the risks posed by information sharing between suppliers and partners. If your organisation takes card payments, for example, banks will expect you to adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), while many government contracts mandate a minimum level of cyber security to enter the tendering process.

CHAPTER 2: THREATS AND VULNERABILITIES

Risk is an inevitable part of life. Every time you do something in which the outcome is uncertain, you take a risk, whether it’s something simple like crossing the road, or something complex like undergoing surgery. Risk is a function of uncertainty – without uncertainty, there is no risk.

Different business fields approach risk in different ways, but the general principles remain the same: the likelihood of an adverse event is mapped against the effect that event would have were it to occur. If the outcome is severe and the likelihood high enough, then it is sensible to take steps to protect against it – usually by reducing the damage caused