Step 1: Identify
Step 1: Identify | Understand your environment and overall cyber risk
In the first of our five-part series – Five steps to cyber resilience – we look at why identifying your assets and understanding your overall cyber risk is the crucial first step in building a cyber resilience plan for every SME and mid-market sized organization.
‘Fail to prepare, prepare to fail’ goes the adage and, when it comes to cyber, it’s clear that many businesses – despite increasingly relying on their IT systems and online presence for business as usual – are at risk from failing in how they manage their response to the cyber threat.
Last year alone, 53% of mid-market organizations in 26 countries experienced a cyber-breach, with the financial hit costing anywhere from $500,000 – $2.5 million per breach; enough to put a mid-sized business permanently out of operation.
Now very much a business wide risk rather than confined to the IT department, the sum of all cyber breaches to UK mid-market businesses last year alone reached a staggering £30 billion – firmly placing cybersecurity risk as one of the top risks facing business. Aon’s 2019 Global Risk Management Survey lists cyber at sixth place in the top ten risks globally with the North America region listing it as the number one risk.
We know we’re vulnerable but…
Despite the growing costs, the majority are still under-prepared for the threat that cyber poses to every aspect of their business. Companies realize they are vulnerable but lack visibility regarding their level of preparedness and have not taken important steps in systematically identifying risks across their various security domains which range from security management practices, to access control systems, and physical security.
Key obstacles including lack of awareness and understanding, resourcing, budget constraints, system complexities, lack of security personnel and expertise are just a few of the many reasons that hinder the ability of SME and mid-market companies to develop cyber resilience. And, they are also the same attributes that make them increasingly attractive and relatively easy targets for cyber criminals.
Start with identifying where your key risks lie
There are simple measures however that can drastically improve a mid-market organization’s cyber resilience and put them in a much stronger position. The first stage – and the focus of this blog post – is around preparation, which begins with having clear visibility into your organization’s overall cyber risk posture.
In our experience, SME and mid-market organizations are significantly less likely than larger ones to conduct cyber health checks and many have never completed a cyber-risk assessment. The result is an unclear view of where their critical risks lie and where to begin when it comes to cyber security. Put simply, would you buy a property without first conducting a detailed building survey (or inspection)? Probably not as you need visibility into its overall condition and an understanding of the risks and repairs required so you can prioritize and invest your resources accordingly. The same is true for managing your cyber risk.
Organizations must know and understand their greatest points of vulnerability, so they can prioritize areas of critical concern and develop a strategic approach to their cyber resilience strategy.
Create a cyber security foundation and baseline
Cyber security can seem daunting for even the largest of organizations, let alone ones with limited resources. With so many different areas contributing to cyber risk from data, network, application, physical, third parties, to name a few – many SME and mid-market organizations and security professionals are unsure where to begin.
It is why a thorough and comprehensive cyber risk assessment can help your organization to identify and analyze all areas of risk, helping to provide clear visibility into your overall cyber risk posture. When selecting a cyber risk assessment, remember that not all assessments are created equal and can range from basic questionnaires to comprehensive cyber risk assessments based on NIST (National Institute of Standards and Technology) risk assessment recommendations.
This type of assessment will instigate collaboration amongst key stakeholders in your organization and properly assess the critical security domains which make up your cyber risk. The result being a strategic blue print to get you started with building your cyber resilience.
Identify ‘quick wins’ and focus your resources
You cannot tackle everything at once, nor should you, but understanding your cyber risk posture in depth means you can identify and prioritize your critical risk areas and focus your resources.
A comprehensive cyber risk assessment will help you to both identify key enablers for improvement and quick wins that should receive immediate focus to enhance the current level of security performance, as well as longer-term remediation strategies to help you cultivate a strategic, data-driven risk management strategy.
Strategic backing for your security strategy
Many businesses are finding their budget increasingly stretched and can struggle to secure the required IT resources from boards and executives. A key weakness often stems from the perceived lack of risk, in comparison to other business needs or simple resource constraints.
A cyber risk assessment can help senior leadership understand the holistic risks that cyber poses to the business in a language they understand. It can also serve as the foundation for helping to guide your organization to build a long-term security strategy and help focus your resources on the areas that matter most.
Align security functions across your organisation
Another key issue for many SME and mid-market organizations is a lack of ownership for the IT security functions, which are often dispersed throughout the organization with minimal collaboration. When cyber risk touches every aspect of an organization, this can significantly hinder a business’s ability to develop a coherent cyber strategy.
A comprehensive view of your cyber posture creates the framework for risk management, IT, legal and finance teams to work together to solve an emerging, complicated risk. And can serve as ‘single source of truth’ for discussing your security risk strategy, strengthening collaboration, and improving alignment.