How to build a comprehensive cyber security strategy

Most, if not all businesses know the importance of protecting themselves against cyber threats. If your organisation is breached the consequences can be serious, both reputationally and thanks to GDPR financially.

Therefore, it's important to have an effective cyber strategy, but it's not always easy to put something in place that provides comprehensive coverage. The work doesn't stop at implementation, either the strategy needs to be regularly reviewed to ensure continued compliance with legislative and regulatory requirements, as well as adhering to internal rules.

Ownership, mandate and scope

In order to build a functional and comprehensive cyber security strategy, you need to have a mandate at the most senior level of the organisation. This means the Chief Security Officer (CSO), Chief Technology Officer (CTO) or someone in a similar role should have responsibility. The implications of GDPR on data security need to be understood and built into the plan and the senior officers must ensure both they and senior managers are aware of their responsibilities.

Outsourcing some or all of the actual work will be attractive to many organisations. Advantages to this approach include a fresh perspective, access to skills that might not be available in-house, and the ability to work faster than if internal staff, with their ongoing role responsibilities, take the work on. But external support needs to be very well directed and managed, to ensure the right outcomes are achieved. Collaboration with an external organisation, rather than total outsourcing, may be a better way forward.

It's also vital that a cyber security strategy is scoped as a business enabler, not something that will get in the way of people trying to do their jobs. Adam Toulson, managing director at Accenture Security, tells IT Pro: "Success requires more than just threat detection and compliance. A good security strategy should always complement the business strategy rather than stifling it."

Organisations also need to bear in mind that a strategy must be both comprehensive and achievable. That's not necessarily an easy balance to achieve. Toulson advises: "Keeping it simple, with a maximum of five or six key objectives, will ensure that everyone is bought into the strategy and is working towards the same goal."

Don't leave anything to chance

If you sit down and make a list of everything that's got to be covered in a cyber security strategy, plenty of things will easily spring to mind. You'll likely focus right from the start on the obvious technology and on the data that it holds. Kevin Curran, professor of cyber security at Ulster University and a senior member of the IEEE offers a starter list: "All aspects relating to the protection of data need to be considered. This includes examining security of physical locations and employee access, data storage, data backups, network security, compliance and recovery procedures, and of course all IoT devices."

But there's a lot more to a comprehensive cyber security strategy than those more obvious areas. One area that's very easy to omit or only pay partial attention to is software. Before rolling out any strategy, you should do a full software audit of your organisation. As a minimum, you need to record all software in use, where it was sourced, what the contractual agreements are for payment, how frequently and through what mechanism it's updated (is this done in house and if so by whom, how often, where are the update logs kept), and who has ownership.

This might be a bigger task than you think. Ownership might not be with the IT team indeed, you may find software that's crept in completely under the radar. In all these scenarios, you need to establish whether or not the owner fully aware of their responsibilities and, if they're not, educate them or consider moving ownership over to the IT department.

What about people and partners?

A cyber security strategy needs to take account of the risk people can bring. As Curran says: "People are often the weakest link in security, therefore it is important to ensure all employees are well trained on aspects such as cyber security best practices like phishing and data sharing practices, keeping software updated, unique strong passwords, enabling two-factor authentication and so on."

Within enterprises, senior IT management will be most enthusiastic to introduce the security awareness component of a cyber security strategy, because they realise the risks that stem from uneducated employees. Simply, awareness reduces the number of threats they have to detect and remediate.

The same level of enthusiasm may be difficult to coax from fellow C-level employees, though. For senior business managers, security training may be viewed as an unwanted disruption to workflow, harming productivity. In response to such complaints, IT leaders must highlight that by eliminating security threats, users will be more productive in the long term: After all, security training is much less of a disruption to business than a malicious ransomware attack that infiltrates systems and brings all operations to a stand still.

Scaling down the ladder, general staff may not believe or understand the threat level, may not believe it will impact them directly, or else have unsubstantiated faith in their ability to counteract threats. In reality, hacking methods are constantly evolving. If employees' knowledge doesn't keep pace, a risk gap widens. To bring employees onboard with awareness training, engaging courses must be delivered that focus not only on the importance of vigilance, but rewarding personnel for enhancing their security behaviors.

Curran also points out that people often don't learn till they've been bitten. Some organisations are attempting to tackle this by sending out phishing emails containing fake malware to educate those who click, for example.

An ongoing process

If a comprehensive cyber security strategy is being set up for the first time, it will take a while. There might be some digging around, some forced changes to the ways in which some people work day to day and, depending on your strategy for controlling shadow IT, some disgruntled staff to deal with.

Once this is all done, maintaining the strategy should be an ongoing process, with frequent enough audits to ensure compliance and regular, ongoing messaging to help prevent infractions. As Curran puts it: "Organisations need to maintain their internal standards and conduct regular audits of all connected devices and security risks including physical. Without regular audits the process becomes toothless."