We have all seen, read or been told that you need to do this or don’t do that (I even wrote an article recently on just that) to fix your cybersecurity.
This attitude is wrong.
All it does is focus you on the ‘X’ number of things that are considered important, it does not fix the overall problem of digital protection, cybersecurity and protecting the organisation’s data against a cyber event.
Today’s threat market is all about two things:
Managing the risk to your organisation is totally dependent on the organisation. Get it wrong though and the organisation is open to litigation, compliance and reputation challenges.
Defining the risk and then mitigating, reducing or ignoring the risk depending on your organisations risk posture.
That risk posture has to have a basis in fact. Every organisation is different, therefore every organisations risk posture will be different.
“She’ll be right”, “it will never happen to us” and “we have nothing worth stealing” are stupid risk postures and should be avoided at all costs.
Lets take patching – you can not implement a patching process if you have not looked at the associated risk of applying, waiting or ignoring a patch to software or operating systems.
Some patches are critical and the risk to the organisation outweighs the impact of a cyber event. These need to be applied immediately.
Other patches could mitigate some risks to a system and can be applied as part of the patch process. We recommend within 15 days.
There are also patches out that would have minimal impact on a system. If the system was not patched and it was compromised they would not get access to critical data. These can be applied based on the organisations risk posture.
Looking at the overall risk to an organisation will drive the security around that organisation and the underlying risk associated with a breach can be discussed as part of the overall business risk assessment.
When used correctly a framework increase the awareness and security around an organisation.
We use NIST, but any framework will do.
A framework allows an organisation to take the blinkers off and focus on the organisation as a whole.
It is a holistic approach to protecting the organisation from a cyber event because it looks at a number of related but often overlooked, important features of digital and cyber protection.
Each of the components of the framework allows the organisation to implement change in a managed and focused way.
It allows an organisation to improve security, with each change benefiting the organisation.
It is a process, not a knee jerk reaction to the next threat.
Business security is not about implementing a decent firewall, installing end point protection and sitting back because you think you are safe.
Business security is about education, policies and procedures, business continuity, visibility and viability.
This solution cannot be achieved through reaction, it needs to be a proactive process embraces by all members of the organisation.