Six steps to cyber-security expertise

Whether it’s management embracing cyber security in the running of their organisation or ticking off the basics with strong passwords, we look at the six steps businesses can take to better protect themselves against a cyber-security breach.

Step 1 - Get management buy-in

In any business, management’s view of cyber security sets the culture. The Cyber Security Readiness Report shows that 90% of businesses rated as experts agree that cyber security is a priority for management, compared with just 50% of those rated novices. “If management doesn’t have this cyber-centric view, then cyber security will always take a backseat,” explains Steve Ridley, Cyber Underwriting Manager at Hiscox UK. Conversely, when there is management buy-in, getting a budget for cyber-security spend or time allocated for employee training become easier to achieve.

Step 2 - Invest in training

There’s a perception that the first line of cyber defence is a company’s firewall or anti-virus software, but that’s not the case. “Humans are still very much the front line,” says Steve, who likens cyber security to a building’s alarm system that needs somebody to set the alarm and lock the doors when they leave. When everyone has a laptop and an email account, training becomes even more important, as Steve explains: “When you’re talking about the entire business population potentially being a gateway for criminals to access the business, the training programme needs a defined structure.”

Step 3 - Do the basics well

“Our claims experience tells us that it really is the basics that would prevent the vast majority of claims,” says Steve, adding that these basic steps aren’t costly or complicated to implement. Three simple actions could go a long way in securing a business: ensuring people use strong passwords; backing up those passwords with additional verification, such as multi-factor authentication; and maintaining a regular backup of systems that’s kept disconnected from the main network. “Hackers are human and humans will always take the path of least resistance, so just by implementing those steps, a business is preventing itself being in the bottom few per cent of companies where the hackers are looking for soft targets.”

Step 4 - Don’t penny pinch

Experts are dedicating a larger portion of their IT budget to cyber security according to the report, but it’s having that cyber-security budget in the first place, rather than its size, that’s the key. Not only does having that budget indicate buy-in from management, but it’s likely to result in better, smarter spend. “If you have a specific budget in place for cyber-security measures, businesses will start to consider where they’re best placing that money,” explains Steve. “It helps to focus the mind a bit more, rather than it just being something that’s always treated on an ad hoc basis.”

Step 5 - Think beyond protection

Steve recommends businesses follow the National Institute of Standards and Technology (NIST) cyber-security framework, which looks at a company’s ability to identify, protect, detect, respond and recover. Without following a framework, Steve explains that the tendency is for companies to just focus on the protection, as it’s fairly easy to purchase a product and see it working on a business’ system. However, businesses need a multi-faceted approach, as set out by the NIST framework. “This is really where the cyber insurance as a product fits,” says Steve. What we see time and again with claims is that having an incident doesn’t necessarily mean that there is going to be a significant impact on the business. The level of protection that was in place beforehand also only plays a very small part in this, and rather it’s how quickly the business is able to detect the incident, and how well they respond and recover that determines the long term effect.

Step 6 - Build resilience

Businesses need to have an awareness of the reality that, unfortunately, at some point a breach is likely to happen, so they need to prepare for this. “If a minor event occurs that you’ve prepared for, it can be dealt with quickly and becomes a non-event,” says Steve. “Whereas, if there’s no foresight and process about how something can be managed, and if you’re not able to nip that minor event in the bud really quickly, it can very quickly escalate into something much more significant.”

Hiscox UK is seeing more organisations embrace cyber security in the day-to-day running of their businesses. According to Steve, the positive for businesses is that “it doesn’t take a huge amount to move from the novice to the expert”. So for those organisations still early on in their journey, just taking these first steps will start to make a difference.