10 Steps to Cyber Security: Step 1- RISK MANAGEMENT REGIME

10 Steps to Cyber Security: Step 1- RISK MANAGEMENT REGIME

Organisations rely on technology to run their businesses. These systems store highly sensitive information that if deleted or stolen could result in financial loss and lack of trust amongst customers. Therefore, defining a risk management regime is vital.

After all, time and money is spent putting other procedures into place, for example, fire and emergency procedures. Your employees know where to go if the fire alarm sounds. However, would they know who to contact or what procedures to follow in the event of a cyber security attack? Have you considered how to protect your business from this type of incident?

Why should you have a Risk Management Regime?

Having a risk management procedure means that you have evaluated:

  • systems and software your business uses,
  • the data that is stored amongst them,
  • and how they may be vulnerable to a security threat.

The types of security threats that should be considered include and are not limited to, denial of service attacks, hoaxes, malicious malware, fraud, unauthorised access, inside threats and phishing attacks.

Employees within your business should know what to do if systems have been breached and what they should do as standard procedure.

How can the risk be managed?

This risk can be managed by:

  • A procedure needs to be put into place, so employees know who to contact and what they should do. An incident handling team should be created so employees know what their roles are in such an emergency. The main responsibility should be residing at board level.
  • The threat needs to be identified and the incident impact needs to be assessed.
  • The customers that are affected by the incident must be alerted.
  • The correct way to contain the incident also needs to be determined.
  • Employees should know what risks can be taken and what will not be deemed acceptable in order to achieve the business objective. Appropriate training and user education should be provided to ensure employees don’t accidentally make the systems vulnerable to an attack.
  • Attacks should be documented and even shared with other businesses and law enforcement, and the CiSP Information Sharing Platform, to understand what threats are emerging and share possible mitigations for them.
  • The risk management procedure should be regularly reviewed as well as the systems and software that are being used; this allows accurate instructions to be given in the event of an emergency.
  • A lifecycle approach to the procedure should also be implemented, to keep up to date with the changes within technology and the current risks that you may face.
  • Use security management good practice and apply good standards, such as the ISO/IEC 27000 series of standards.
  • Consider adopting a Cyber Essentials scheme. This will provide guidance to what should be put into place and how to manage a cyber security attack. They also offer a certificate process that demonstrates your commitment to cyber security. This certificate shows customers that you take security seriously and are committed to keeping their data safe.
  • Encourage a risk management culture, starting from the corporate governance from the top down, with user participation demonstrated at every level of the business. This will remind employees of the management plan and encourage staff to share knowledge and experience with their peers.

For more information please contact [email protected]

 

 

Related News

Member Log-In

Welcome to the SBRC Members Lounge, login details will be issued to members in due course.


Forgot password?