Warren Pountain  |  Advice, IT Security, Compliance, Business Strategy

Your cyber risk. Understand it. Plan for it. Manage it.

There's no denying that cyber risk presents a genuine threat to your organisation. But with so much information available and much of it technical, it can be hard to understand, let alone mitigate.

Well, this blog aims to do just that. Cut through the crap and arm you with the essential information you need to understand the risk, plan for it and then manage it.

So let's get to it, starting with this simple fact.

Regardless of what anybody tells you, you can never be 100% secure and risk-free from a cyber attack.

And while we're at it. Here's another one.

If someone wants to break into your IT systems, steal your data or be disruptive, they will, with enough time and resource exceed.

And one more.

Cybersecurity isn't just a tech problem. It's a people problem, and it's a process problem.

Why do they do it?

Well, depending on who is doing the attacking, and who the target is, there are several reasons why cyber criminals attack. But for the small to medium enterprise (SME), it comes down to one thing. Money. Financial gain is the number one reason why cybercriminals attack SMEs. 

In most cases, your data isn't valuable to them, but it is to you.

What do they do?

They send emails and try to trick you into clicking on something which either gives them entry into your computer system or fools you into giving up some personal information or dupes you into paying them money.

How do they do it?

If they get into your system, the chances are they will launch a ransomware attack, which will encrypt your files and demand money to unencrypt them. Or you give up some personal information which they use to build up a profile for future attacks. Or they commit CEO fraud which is where they send an email to someone in authority to change or make payments and try to trick them into redirecting that payment to a bank account they have access to.

But all my data is in the cloud. Isn't it safe from attack?

In a word no. Both Office 365 and G Suite are not immune from attack, and they don't back up your files. Your data, in their cloud, is your responsibility.

So what can you do to protect your organisation?

1. Identify and assess the key risks to your information and systems.

For instance.

  • Infrastructure - how long could you go without access to your server(s), email, or internet connection?
  • Data - how valuable is it, how long could you go without access to it, and how much damage would it do?  

This is by no means an exhaustive. It will likely be a combination of things. What is essential is that you identify and rank your key risks in order of severity should you were to lose access to them.

2. Prepare for the worst and minimise your operational performance.

Preparing to recover from a breach is just as important as trying to prevent one. 

  • Take regular back-ups of all your most important data.
  • Have an incident response policy and process that is understood by all.
  • Perform regular disaster recovery and business continuity exercises.
  • Train all staff, yourself included to be aware of the risks and what to look for so they can protect your business. 
  • Test everything. Regularly.

3. Implement the National Cyber Security Centre's 10 Steps to Cybersecurity. 

These 10 Steps will provide your organisation with the minimum level of protection needed in cyberspace.

  1. Establish a risk management regime.
  2. Network Security.
  3. User education and awareness.
  4. Malware prevention.
  5. Removable media controls.
  6. Secure configuration.
  7. Managing user privileges.
  8. Incident management.
  9. Monitoring.
  10. Home and mobile working.

If you're interested to know more about the NCSC's 10 Steps, you can read more at their website here.

4. Don't set it, and forget it.

Regular evaluation and measurement of your risk is the most important thing you can do because your business changes, threats evolve daily, and cybersecurity that protected you yesterday, probably won't tomorrow.

Still not sure what to do or if your current IT provider has you covered?

Onebyte's Technolgy Success is built around the NCSC's 10 Steps and includes the processes, policies and governance your organisation needs to protect itself and make your people and technology brilliant together.

Call us or use the contact form below to get in touch and book a 40-minute intro meeting to find out just how brilliant.