Six steps to a robust cyber security strategy
- Published: Tuesday, 15 October 2019 07:47
This October marks the 16th annual Cybersecurity Awareness Month, and this should serve as a reminder that businesses of all sizes need to implement strong cyber security. Graham Marcroft highlights six areas that combine to help create a holistic cyber security strategy.
With most companies on their digital transformation journey, 100 percent uptime is no longer a bonus, but a requirement. So, the construction and implementation of a complete cyber security strategy to ensure this is achievable should be a matter of priority that is engaged with across the entire company.
The first challenge is to actually understand and recognise the urgency of having a robust strategy, and one that is supported by technology that will protect increasingly digitized business operations. If the best cyber security strategy is one that covers all bases, where do you start, and what should it include? Here are my six steps to complete cyber security satisfaction:
1. Understand the necessity
It shouldn’t only be the IT team’s responsibility to ensure all systems and applications across the company are functioning securely. Board-level executives should be attending any discussion around implementing proactive prevention of cyber security vulnerabilities, and treating them as a top business priority.
Security strategies are often considered a large investment with little measurable return. In reality, the actual cost of downtime, repairs and damaged reputation can be catastrophic to a business. All business owners should be looking to ensure that they mitigate the risk of all of these costly failures by being proactive rather than purely reactive with their cyber security strategy.
2. Train your people
Often, the biggest threats and ‘weakest links’, when it comes to online security and data protection in the workplace, come from human error. If the proper training hasn’t been implemented, people and businesses can fall victim to cyber attacks. So, every business should look to integrate cyber security in the everyday working lives of employees as part of their wider cyber security strategy.
It’s vital that businesses implement solid cyber security training for all employees. Companies should avoid dreary seminars and PowerPoint presentations, and replace them with practical, accessible advice about recognising cyber attacks and how to prevent them. Think outside of the box about ways to incentivise security awareness with competitions, ethical hacking and focussing on the individual’s vital and ongoing role in cyber security. Even by understanding phishing attacks, promoting safe password management and protecting sensitive information, employees can make more informed decisions about potential security risks, and this will go a long way to keeping your business robust and resilient.
3. Be proactive about prevention
Once the importance of this strategy is understood, it is vital to next think about what practical preventative steps you can take to mitigate any disasters from happening. Often, a reactive approach is more common than proper proactivity, but both should be thought about in parallel to achieve optimum security and IT resilience.
There are better technologies now available for effective prevention of cyber threats, which can ensure organizations are protected. Businesses should be researching the tools and applications that are designed to track, monitor and react, as well as solutions that intelligently integrate with your IT infrastructure.
One example of this proactive technology is intrusion detection systems (IDS). An IDS is a piece of hardware or virtual appliance that monitors a network for any malicious activity or violations of agreed policies. When deployed properly, this technology ensures that, in the event of an incoming cyber threat, the activity is immediately reported to the service provider where a dedicated security team can take the appropriate and pre-agreed actions.
4. Think about disaster recovery
Another consideration for businesses should be what they will need in the event of a disaster, on top of the effective prevention and detection. There are some considerations to make before deciding on a technology or solution for the disaster recovery (DR) element of your cyber security strategy.
Initially, organizations should work out their most critical systems, applications and types of data in relation to business operations through a risk assessment. Analysing business impact and risk assessments will both help to simplify the process and move the DR strategy in the right direction. For instance, a company that follows any certified accreditation would include it as part of business continuity planning.
Plus, in the event of a disaster, recovery objectives should help to provide an estimate of the time it will take to bring the business back up to speed. A recovery point objective (RPO) defines the point a business can return to in a server’s timeline after a disaster. With daily backups, for example, the maximum RPO would be 24 hours. A recovery time objective (RTO) sets out how long it takes to recover from a situation such as a full data centre / center disaster. These considerations ensure you know exactly where you stand with your DR strategy, and ensure it can be implemented efficiently, and with peace of mind.
5. Weigh up your DR options
The next step, once you have found what you need from the DR element of your overarching cyber security strategy, should be looking into the technologies and options available to you.
‘Hot DR’ is one of the most sophisticated disaster recovery solutions available. It replicates and synchronizes an organization’s entire system architecture, data storage and applications to a secondary data centre. In the event of a disaster, the failover system switches the company’s DNS to the DR site, enabling the business to continue serving staff and customers. If a catastrophic disaster occurs at the production site, the DR site takes over as the production site.
It’s worth noting that the cloud has had a significant effect on DR, especially if, like many businesses, you are taking a cloud-first approach. By lowering running costs while increasing performance and reliability, cloud services have made DR more accessible and affordable. However, while utilising the cloud for your DR strategy can be a great idea, without proper management it can become complex. Managed cloud providers enable companies to focus on adding value to their business, and not be caught up in complex IT. So, in-house IT teams can focus on strategic activities and providing the infrastructure, data centre and support needed to run the business.
6. Consider a hosting provider
Equipped with the understanding of your business requirements and the technologies and solutions available to you, learning how to implement this efficiently, easily and without delay is the final step to consider.
If you are looking for ease of management, scalability and complete integration, a managed service provider (MSP) could be a good choice. The benefits of utilizing an MSP can often be the answer to solidifying your crucial security strategy. This way, your business can put new technologies to good use, and deploy efficient cyber defences through a security-as-a-service model.
Managed service providers are well-placed to deliver the right cyber security solutions for businesses to minimise risk and downtime, since they have so much focus on their own platforms, networks and performance. Your hosting provider should back-up the promise of 100 percent uptime and go beyond expected standards to ensure your business is ‘always-on’.
Using the right MSP can be the difference between being vulnerable to an attack, and having a securely managed and monitored environment for critical data. Your MSP should provide a team of experts who are on-hand 24/7 to ensure your advanced cyber security strategy can be remotely managed using the latest tools and technologies.
Graham Marcroft is operations and compliance director at Hyve Managed Hosting.