How to develop a cyber security strategy for your business
The most disheartening thing about a cyber security attack on your business is how much less it would have cost to develop a cyber security strategy. Almost 23,000 businesses in Australia have had the misfortune of a cyber attack in the last nine months. Each cyber attack costs around $80,000 to $180,000 and takes an average of 23 days to resolve. These costs can be devastating to your business especially without insurance.
As we rapidly move past the question of ‘do I need cyber security?’, here’s how you can develop a cyber security strategy for your business.
See ECU's Master of Cyber Security if you're interested in becoming a cyber security expert.
What is a cyber security strategy?
A cyber security strategy is a series of plans and guidelines that mitigate the risk of a cyber attack or data breach and maximise the security of your business’s data and devices. In addition to ensuring the basic provisions of antivirus software and network security, a cyber security strategy outlines key roles and responsibilities of individuals within the organisation in the event that an incident does occur. There’s also a focus on staff education to bring cyber security into the culture of the business.
In the first year of the Notifiable Data Breach (NDB) scheme, The Office of the Australian Information Commissioner (OAIC) reported that 35 per cent of data breaches were due to human error. These data breaches can be as simple as a misdirected email which highlights the importance of staff training in a cyber security strategy.
It’s important to acknowledge that no cyber security strategy is bulletproof – just look at the major data breaches and hacks at Facebook, Twitter or Wordpress.
In the unfortunate event of a cyber attack, the strategy is also a guide on how to respond and return things to normal operating procedures as quickly as possible. When human error resulted in 13,000 customer contact details escaping from NAB, the bank turned to its cyber security strategy. We can see that early in the afternoon, they informed the Office of the Australian Information Commissioner (OAIC), then they contacted affected customers, before releasing the news to the media at 6 pm. One assumes that internally things progressed in a similarly logical fashion, with just a bit more urgency.
Assess current capabilities
Not every business has an IT department, but most businesses have some level of cybersecurity in place – whether it's an in-house cyber security expert or just antivirus software! So, a good cyber security strategy begins with an assessment of current capabilities. In fact, with cyber threats continually evolving this process should be conducted regularly to update your cyber security strategy and measure your cybersecurity maturity.
There’s a variety of online resources that make it easy to assess your current capabilities, such as the Australian Government’s snappily named Cyber Security Risk Self-Assessment Tool. For small businesses, The Council of Registered Ethical Security Testers also offers a free self-assessment.
Both of these tools ask some probing questions that may make the hairs on the back of your neck stand up. For example, ‘how long would it take your business to recover if you lost the information you have stored on computers, mobile phones, servers, online or in the cloud?’. They also highlight potential vulnerabilities which exist in every device attached to your network and every human being who interacts with your business.
Identify strategic objectives
Cyber security failures don’t need to be big enough to make headlines to have a devastating impact. The OAIC’s report on NDBs revealed that the majority of data breaches affected fewer than 1000 people. So, it can take much less than a complete network shutdown to impact strategic objectives.
Once you’ve assessed the current capabilities of your business, discuss them with the head of each business unit to find out what might impact them. It’s essential to have an awareness of the strategic objectives of each department, as well as an understanding of the devices, servers and functions they rely on.
With this knowledge, you can start to develop a cyber security strategy for your business from the top down. Senior executives and dovetail should understand it with broader business goals and plans.
Back up data
If you have a backup process, you might feel reasonably confident that you could recover from a cyber security incident fairly quickly. But when was the last time you tested those backups? Earlier this year the operator of New York’s subway trains discovered that their backups didn’t work when they needed them. Passengers were stranded in immobile trains when a computer system failed during a heatwave.
The generally accepted best practice for backups is the 3-2-1 strategy. That means you have three copies of your data, on at least two different media, with one being offsite and offline. Having three copies on two different media drastically reduces the statistical chance of losing your data. The offsite and offline copy further protects you from fire, theft and internet threats.
Now the key to backup success is to test every single copy of your data. In their Essential Eight mitigation strategies, the Australian Cyber Security Centre recommends testing backups ‘initially, annually and when IT infrastructure changes.’
Test security efficiency
In addition to testing backups, the essential final stage of any cyber security strategy is to test the efficiency of the security you’ve put in place. This is where it’s most important to think like a cyber criminal – what could they do to gain access to your network, devices or servers?
While it’s possible to scan for vulnerabilities and conduct penetration yourself, an external agency may think differently to you and highlight opportunities to improve your strategy. Other members of staff can also be helpful in this process as they may use or access business resources in different ways.
Test your cyber security strategy, make adjustments where necessary and repeat. Cyber threats are continually evolving, so testing must be performed regularly to ensure effectiveness.
You can improve your skills in cyber security testing with a Master of Cyber Security. ECU’s online Master of Cyber Security requires no previous IT experience and can be completed part-time while you continue to work. In addition to the ability to develop a cyber security strategy, the Master of Cyber Security arms you with skills in information warfare, ethical hacking and defence, and more.
Learn more about our online Master of Cyber Security. Get in touch with our Enrolment team on 1300 707 760.