H2 Newsletter - Cyber Security Strategy

In last week’s newsletter I said we’d discuss cyber security strategies fit for SMEs. But before that, let’s talk a bit more about Ransomware and overall, why do you need a strategy, which will lead us gently into what it should look like.

A ransomware threat called HardBit, which has been around for a while now, has moved to version 2.0, but what is different about this gang is how it’s trying to extort money. It tries to negotiate a ransom payment that would be covered by the victim's insurance company. Specifically, they try to convince the victim that it is in their interest to disclose all insurance details so they can adjust their demands so the insurer would cover all costs. I’ve talked before about SMEs tending to pay up rather than suffer any consequences and I can see this offer being tempting. However, I can also see this coming a cropper in several ways, chiefly that cyber insurance policies generally have a considerable amount of get out of jail free clauses for the insurers, notably that all precautions must have been taken to prevent such an event from happening, many of those precautions set out in detail. Frankly I can’t see a lot of pay outs.

What the above does do though is show how cyber criminals adapt and change to maximise the chances of success and that a key aspect of staying on top of Cybersecurity is staying on top of emerging and evolving threats requiring a flexible strategy that allows for change and adaptation. Of course, for most SMEs this isn’t your core business, and you need to reflect on how you can devise such a strategy to survive in this ever changing world.

Whilst the development and documentation for an agreed and comprehensive cyber-security risk management strategy is essential to the establishment of the direction and purpose of an effective cyber security program, it doesn’t have to be that frightening for an SME. Most strategies have been devised with the larger enterprise organisations in mind, therefore, for an SME, we need to scale it back and make it appropriate and affordable. However, just like those larger company's a cyber-security strategy for an SME must support the overall business objectives and regulatory and governance requirements of the organisation. In so doing, cyber-security becomes not only a Board-level issue, but (more importantly) part of the overall business strategy.

There are 5 elements of a cyber-security strategy:

·      Roadmap

·      Business alignment.

·      Innovation.

·      Regulatory changes.

·      Cyber-security charter.

As can be seen in diagram below, the roadmap, business alignment, innovation and regulatory changes all feed into the production of the cyber-security charter, which ensures that the strategy is formally approved by those who need to give such approval. In some cases that will be one person, you the owner, but in other cases there will be more stakeholders such as other directors, departmental heads, IT manager/director etc.

Roadmap

To enable cyber-security to better support the business, there must be a clear understanding of the organisation’s business direction and plans; especially where these are likely to have a potential impact on cyber risk. For example, any plans for developing new business applications, migrating to the cloud, or adopting new business systems are all likely to introduce new elements of cyber risk. To help the cyber-security program better address these, there is a need for all the relevant stakeholders to have input to drawing up the strategic roadmap that will indicate relevant future business changes.

Business alignment

Cyber-security must support the organisation’s overall business objectives, while at the same time managing business risks that derive from both current and developing technologies. Any control within a cyber-security program must be able to demonstrate support for either a business objective or for a regulatory or statutory mandate. Any cyber-security control that is unable to demonstrate such support can be regarded as potentially failing to support the cyber-security strategy – and thus to be unnecessary or excessive.

Innovation

As business creates innovative products and enters new markets it requires new approaches to IT. Such approaches include adoption of the cloud, managed services, and mobility. Security professionals need to anticipate the architectural changes required to keep pace with the new approaches and be able to address the budgetary disciplines required to support them. Because secure adoption of cloud and wider use of mobility will reduce business risk exposure, while at the same time enabling greater innovation, cyber-security strategy and the involvement of cyber-security professionals becomes essential to business’s senior management.

Regulatory changes

Legal, regulatory, and statutory requirements are being constantly developed and updated to keep pace with the changing business and threat landscape. The organisation’s legal advisors can therefore be a key stakeholder in the cyber-security strategy; and a close and ongoing relationship between them and the organisation’s cyber-security professionals, or those that it has partnered with to carry out that function, is essential. 

Cyber-security charter

A documented cyber-security charter is the element of cyber-security strategy that establishes the direction and mandate for the key stakeholders in cyber-security risk management. The charter contains a statement of the mission of the cyber-security strategy, its key objectives (both business and technological), the roles of the key stakeholders, a communications plan, and a change control plan. Because both the board and CEO are critical to the success of the cyber-security strategy it is essential that they are fully bought-into the charter and understand and accept accountability for their roles as stated within it.

I realise that all the above seems very daunting for an SME management that often barely has time to consider those elements key to making the business function, without having to spend time and trouble dealing with this. However, it needn’t be. These 5 elements are a guide, not set in stone, and if followed, but perhaps scaled to match the business requirements (see step 2 – business alignment), then it becomes very manageable and in fact, essential.

Here at H2 we have a lot of experience in devising cyber risk management strategies for large enterprises and know how the scale them accordingly. We have also spent a lot of time and energy researching solutions for the SME sector that will provide affordable and flexible one-off and ongoing data protection and cyber risk protection services.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Please feel free to give us a call or email

Alternatively, you can book a slot using our Calendly link, https://calendly.com/kevin_hah2

T: 0845 5443742

M: 07702 019060

E: [email protected]

Trust H2 – Making sure your information is secure