Generating Business Value with Cyber Security
The InfoSec Consulting Series #23
By Jay Pope
Cyber security is often seen by businesses as a necessary evil. But as the number of high-profile cyber-attacks grows and legislators seek to crack down on companies that are not taking proper care of their data through legislation such as GDPR, this mindset is changing. It’s now the case that being seen to take systems security seriously can, in fact, help the business to prosper in a competitive environment. In a world of increasingly interlinked systems, this is important. If you are going to share your data with someone else, you need to be sure they are going to properly protect it. In this article we look at how an organisation can generate business value utilising cyber security.
Understanding The Risk
It’s now widely accepted by most companies that suffering a cyber-attack is a matter of when rather than if. While high profile data breaches such as the British Airways incident made the headlines, businesses of all sizes and in all industry, sectors are vulnerable. In fact, smaller organisations may be more at risk as they usually have fewer resources to throw at cyber security and are therefore seen as being easier targets. To demonstrate preparedness and to build trust in supply chain partners, it’s essential to have a plan in place to deal with attacks. Defence is, of course, important but you also need to have prepared for what happens should an attack occur. GDPR requires you to report breaches in a timely manner or face a hefty fine. But the regulators are likely to take a more lenient approach if you can show that you have a plan in place and have taken reasonable steps to safeguard your data and comply with the rules. This means looking at not just in-house systems but also at your cloud usage. You should not rely on the service provider to look after your data, you must take steps to ensure this yourself.
All of this requires an intelligent approach to security. New systems should have security measures designed in from the start. This ensures that you are not playing catch-up with threats at a later stage. But many businesses are starting to go further and ask can we increase business value with cyber security and can it be a profit centre? The key thing here is to recognise that cyber security is not just an IT issue. In our increasingly systems-reliant world, it’s something that cuts right across the business. Board members and shareholders should be asking hard questions about what the security posture of the company is and how can having good security improve the company’s value. Supply chains are becoming increasingly integrated. This means that you may well be linking the data in your systems to that in supplier and customer systems. But how do you know these systems are safe? You need to look at the security standards applied by these third-parties as well as those of your own business. Some high-profile breaches, such as that at US retailer BestBuy, have occurred via third-party systems rather than those of the company itself. In the BestBuy case, it was a payment processor, but breaches have also occurred via storage providers and point of sale providers. A company that is seen to be not merely secure, but to be taking security seriously, is therefore likely to be a more attractive trading partner.
Just as security shouldn’t be just an IT issue, it shouldn’t be solely a technology issue either. Some of the greatest threats are aimed at people not at machines. As the underlying security of hardware and operating systems have improved, cyber criminals have turned their attention to social engineering. Phishing attacks aimed at stealing credentials to gain access to corporate networks are increasingly common. Training people to spot attacks and to be aware of the possible risks is therefore just as important as taking measures to protect your network perimeter and endpoints. The person using the device is the ultimate endpoint, but not one to which you can simply upload a patch to make it secure. Of course, this applies at all levels of the organisation. Spear phishing attacks against executives are just as much a threat as attempts to trick accounts clerks into opening fake invoices to install ransomware. Here it’s worth considering the benefits of implementing an Information Security Management System using the ISO27001 standard not only make your own people aware of the issues surrounding securing systems, but also to demonstrate to existing and potential trading partners that you are taking these threats seriously.
Being able to show key stakeholders the tangible business value of cyber security is an essential tool to help the business to prosper in a competitive environment.
Does Your Organisation Need Top Cyber Security Consultants?
We are a team of experts with extensive knowledge and experience of helping organisations improve business performance. Our highly qualified consultancy team can deliver cyber security capability at all levels of your organisation and are on hand to help ensure your projects deliver solutions that are appropriately aligned to your cyber security risk position, and meet technical, business and ethics due diligence requirements. Schedule a call above to learn more about how we can help.