On Friday 29 September our MD, Rupert Beeby was delighted to be invited to speak with the Hampshire Chamber of Commerce, SME members about how to justify their IT security spend, to ensure limited security budgets are used effectively. In today’s world where protecting vital business information is critical, it is key to ensure that you identify the risks and mitigate them. It was a great network event with a diverse range of businesses joining us in Aldershot.
The focus throughout the session was around understanding the cyber security risk, what an SME can do to protect themselves and the process to work through to ensure you invest in the best solution possible.
The 2017 Cyber Security Survey highlights that virtually all UK businesses are exposed to cyber security risks. With over 60% of businesses holding personal data on their customer electronically there is more pressure than ever before to put the right IT security protection in place. With GDPR coming into force next May this is a hot topic at the moment.
So what is the big dilemma? Spending on IT security is growing but more investment does not necessarily mean better. With the National Cyber Security Alliance finding that 60% of small businesses shut down after a breach, it is a better approach to simplify and consolidate the tools in place to protect your business. In many cases a smaller organisation will be targeted not necessarily for their immediate clients, but being a gateway into a larger, partner organisation. If you are using cloud data storage solutions, this brings its own additional challenges.
So what are the steps you need to go through?
- Plan (Identify your risk): The first step is to engage with key senior stakeholders and gain their support for IT security challenges which the business faces. Once you have this then identify, what information you have? who has access to what? and what are they doing with it? Plan how you will get this data and what you will do with it when you have it. If you find anomalies with information usage, who will need to be told and what are the management issues. Develop or update your information security policies to reflect your plan. Budgets can be developed based upon equating against the cost of information loss. In GDPR terms, the cost of a breach may be significant.
- Do (Test and Analyse): Once you have some initial insight, then run a tool which will insight into information usage in the company. This insight will mean that “normal behaviour” can be understood and “abnormal behaviour” identified. This will help prioritise risks to your information. This tool can then be left running ongoing in the background to measure and mitigation risk as they arise.
- Review the results: Assess what has been discovered and decide upon the priority in tackling the challenges identified. Processes in dealing with anomalies will need to be developed and also user involvement provided. Verify that senior managers understand budget allocation against the highest risks. This is the justification.
- Act (Implement or Tune): This phase is to check whether your planning is delivering effective mitigation. Is the priority of risks correct? Has the mitigation reduced activities such as USB storage usage or have cloud transfers been encrypted?
Understanding your information risks is critically to any budget justification. 80% of organisations have no methods to assess effectiveness of IT security investment. So using software to show information risk means that budgets can be justified and the software continuously used to show success of mitigation. Please CLICK HERE to get in touch.