It is best to approach your company’s cybersecurity strategy from the perspective of it being a business risk, rather than a compliance challenge.
Cybersecurity is a challenge that should be on the mind of every business, regardless of size. This point should be driven home by statistics like the one that indicates that cybercrime is today the largest criminal enterprise in the world, worth almost double that of the global drug trade. Clearly, all businesses should have a cybersecurity strategy, but the question then is, where does one begin? The answer is quite simple: the first thing you need to know is exactly what you are at risk of. Traditionally, security has been approached from a compliance perspective, but given the number of successful attacks that take place, this method has not proven to be particularly effective. This is why we recommend approaching security from the perspective of business risk. After all, every company has a set of business applications and processes that are critical to their operation. For example, a retail business must be able to transact and take payments continuously, so payment applications are obviously vital. Less critical is the minute-by-minute inventory management system, although even this, if offline for too long, would impact the business in terms of it not knowing what to re-stock or what wasn’t moving. Any system or application that you cannot afford to have down for any length of time, due to a cyber-attack, is a business risk. When cybersecurity is approached as a business risk, you essentially turn it into a business enabler, as the security steps taken are naturally more focused and protect your business-critical functions first and foremost. It should also be a boost to doing business - not only because such an approach should save you money - but also because, in a risk-averse world, other companies also prefer to do business with an organization that takes cybersecurity seriously. So, the key, especially if you are an SME, is to apply your mind to understanding what matters most to your enterprise. It could be your email program, or maybe your billing process and the apps that support this, but whatever it is, until you clearly identify it, you won’t know what to protect.
Another advantage to this approach is that cyber-insurance - which has been around for a while but has come into its own with the rise of ransomware - tends to set premiums according to the measures the client has already taken to protect themselves, much like a smoker’s life insurance premium is higher than that of a non-smoker. So, for SMEs, especially, this approach will mean they can access the security of cyber-insurance without paying prohibitive premiums.
And of course, once you know what your business-critical functions are, you need to focus on the likelihood of an attack occurring, understanding the impact it will have if you are attacked, and then assigning the budget needed to protect you from an attack. And the starting point for all of this lies in undertaking a risk posture assessment - something we will discuss in more depth in our next blog.