Cybersecurity: best practice is common sense by Patrick Burgess, Technical Director, Nutbourne on 18-Jun-2020

With more than 98% of UK businesses and charities operating online, cybersecurity solutions are not something that can be ignored. Despite increased awareness of the dangers, 46% of businesses in the UK reported that they'd suffered a data breach in the last year - costing them on average between £3.2k and £5.2k, says Patrick Burgess, Technical Director at Nutbourne.

Of those polled in the Government's Cyber Security Survey, a whopping 49% of businesses do not receive quarterly updates regarding cyber security and 17% of businesses aren't updated at all.

While these statistics are indicative of prevailing difficulties organisations face when developing IT security policy, much of what IT security solutions companies offer is down to common sense and consistency. Here are my five tips that should help to point you in the right direction.

Prioritise your information

Cybersecurity solutions revolve around protecting your information. Focus on your information first, rather than the technology you'll use to protect it and you will have a solid base to start from.

A framework that keeps your information confidential, protects its integrity and manages its availability is recommended. The CIA triad, as it is known, is robust and lends itself to iterative and constant improvement. In practice, you encrypt your information to make it secure, grant access only to those that need it and maintain its integrity by checking that it hasn't been corrupted in any way.

What makes the CIA triad work is the playoff between the three components. For example, you can't have total confidentiality because people need access; and for the information to be useful you need to maintain its integrity. The best way to do this is to protect it and undertake a network security audit.

Are you compliant?

There are a number of standards available, such as those set by the International Organization for Standardization (ISO) or the Payment Card Industry (PCI), which if implemented correctly will help ensure you are compliant with the various laws governing the use and misuse of data. Adhering to these standards will ensure that any organization is able to manage the security of assets, such as financial information, employee details and intellectual property. If you suffer a data breach and you're found to not be compliant with the compliances you have chosen, then you open yourself up to potential damages.

It's important to use your information security management system (ISMS) to identify things that have gone wrong or need improvement before fixing them.

Prevent rather than cure

Cyber threats grow and evolve at a pace that is often hard to keep up with. To that end, organisations should look to make small, continuous and consistent improvements to their security policies, processes and practices.

This is relatively simple and often boils down to common sense. If you commit to the basic principles 'secure, enforce, monitor and improve', you will foster systems, processes and procedures that readily identify and mitigate risk, and move your IT security away from the 'break-fix' model.

Make life simple for yourself

Fine tuning your IT compliance or giving it an overhaul can be a daunting task, especially if you're unfamiliar with the process. Compliance structures tend to take one of two approaches:

The first option, if you require something very custom, is to bring it in-house and build your bespoke information and compliance structure. The benefit to this is that you manage the entire process and have full ownership from the bottom up. It is, however, critically important in this scenario to get regular oversight and auditing from a respected and independent source. It's very easy to get lost down the rabbit hole when you own the entire process and you can fail to see the big picture.

Alternatively, you can bring in an external party to oversee the structure and compliance. Commonly this can be customised for you, allowing the provider to do all the work and provide best practice knowledge. Whatever you choose, make sure that your information adheres to the CIA triad.

React quickly to data breaches

Organisations holding a lot of personal data are seen as particularly accountable as far as the GDPR laws are concerned. As such, data breaches need to be reported to the Information Commission Office (ICO) at all times. That could be anything from a ransomware attack to full-blown data theft. If your data has been compromised, the ICO need to know and you need to take restorative measures. This is why a network security audit is so imperative.

If you have the right policies in place, are able to let the right people know and talk to the right people to recover your data, it will reflect well on you. The companies that have recently suffered data breaches, told authorities early and communicated to those affected quickly, allowing a much higher chance of recovery.

For more information, please visit the Nutbourne webstie

Tweets by @biz_works