Have you ever looked at your day to day task list and felt like a real clown . . .
Now, I’m not suggesting anyone is stood there with a large red nose, kipper tie, shoes that are just way too big and drive a car where the doors will fall off at any minute.
But if you’re like a lot of individuals that we speak to on a regular basis, there’s a whole heap of juggling going on or plate spinning if you will.
This time of year generates a lot of noise as organisations review current IT projects and plan new projects for the following year, moving priorities to ensure that (hopefully) everything gets completed at the right time, on time. There are conversations fed down from the top requesting outcomes and solutions. This, as a lot of you will know isn’t always that straight forward…
The idea of cyber security resilience and where to focus the efforts is a conversation that could run for hours, days in-fact and indeed it is one that has many different facets , but what questions should you be asking within the business for a better security posture:
These are 10 key questions that an organisation really should ask of itself when it comes to focusing on cyber security and data protection:
1. Do we have a data classification scheme to help identify sensitive information and ensure appropriate protections are in place? Do we actually understand the data we have and what we are trying to protect
To secure sensitive or other data of value, you really need to understand what it is, how much you have, who’s doing what with it and ultimately where it is leaving the business. Classification and the work around this is the first point of call. Once you’ve classified the data, you’ll know what you should be protecting.
2. Do we have effective mechanisms for controlling access to resources, such as how we handle new starters, movers or when staff leave our organisation?
Many companies either don’t have a process or if they do, it is very rarely policed. This is particularly prevalent in respect to movers in a business where legacy permissions may and regularly do remain in place where no longer required.
3. Do we review user accounts and systems for unnecessary privileges on a regular basis?
Regularly reviewing policies and rule-based access controls is an essential part of mitigating the risk of data loss.
4. Do we enforce multi factor authentications for all systems and users?
A simple one . . .but you would be surprised that this still needs discussion
5. Do we have regularly rehearsed plans to deal with the most likely cyber events or disasters?
This won’t be applicable to all, but organisations that manage critical infrastructure or hold large quantities of data / intellectual property should have roles and responsibilities mapped out with their staff to ensure the best possible route to fix should an attack / data loss event happen.
6. Are all our hardware and software products free from vulnerabilities, supported by the vendor and regularly patched?
We take this for granted in most cases, but who carries the responsibility from an organisational point to keep on top of this?
7. Are all staff aware of and participate in effective cyber risk management processes?
Education is key and should be regularly revisited. There are plenty of tool sets out in the market to provide cover here but consistent messaging and processes in the business will aid this. We simply cannot rely on good old common sense!
8. Are we doing everything necessary to support our staff and stakeholders to understand and be aware of cyber risk, via training advice and guidance?
This is often a question of whether cyber security training is ingrained in your business processes. For example, is cyber security training a requirement of new starter onboarding and how often is this training updated?
9. Do we adequately understand our business-critical services and functions and their associated data, technology and supply chain dependencies?
A big one for a lot of organisations – people move about this industry regularly bringing with them their own ideas and recommended technologies and as such legacy infrastructure and policies exist with very little information to back it once people have moved on. There is a huge focus on consolidating tech and moving to a single pane of glass approach. This provides a perfect opportunity to review the whole environment which in turn aids better education and more robust processes.
10. Are all staff aware of and participate in effective cyber risk management processes?
Is there a culture of shared responsibility for the management of cyber risk within the enterprise? Are there reporting channels available to help identify gaps in those processes that back this up.
2023 will pose several new challenges for organisations both internally and externally. Data is such a strong conversation now, especially for us here at Gradian. We are finding businesses really waking up to the idea of securing data in the right way from the ground up rather than buying a solution with a quick fix mentality