What are the fundamentals of Cyber Security?
Much like traditional physical security, cyber security is about keeping your digital assets secure from internal and external threats. In the same way that you may have multiple aspects of physical security within your home or office space (door locks, CCTV etc…) cyber security is about securing your assets in the digital world.
Where to start?
One area that underpins your Cyber Security initiative or plan will be Asset Management. To understand how best to protect your business you need to know what it is that you are protecting. Or to look at it another way, you can’t protect what you don’t know exists.
So, a good starting point is to ensure you have a physical inventory of assets, such as laptops, mobile phones etc…, any physical device that has access to your corporate data.
Many Information Security programmes will go a step further than this and ensure you make an inventory of information assets and rank them as to their importance within your organisation. A great question to answer when starting this process is “If a hacker was trying to access my organisation, which information would they be most interested in?” Answering this questions will help give you an insight into your information assets and where to start.
The truth for most firms is that there are budget limitations and therefore starting with your most important and sensitive information assets is vital to ensure you are allocating your budget in the right areas.
Now you have your list of physical and information assets, you can start building out a programme, to secure those assets. This may be a mix of technology and business processes to help remove risks related to those assets, both internal and external.
From a technology standpoint we would recommend our clients have a minimum of:
- Endpoint security solution.
- Email security solution.
- Patch management solution.
- Vulnerability management solution.
- Multifactor Authentification wherever possible.
- Web filtering and URL protection.
- Mobile Device Management solution.
In terms of processes, we would strongly recommend:
- Comprehensive password policy.
- End-user cyber security training.
- Phishing testing programme.
- Strong access controls based on principal of least privilege.
- Robust backup and DR/BCP plans.
- Reporting plan for cyber incidents.
If you want to benchmark where your controls and policies rank compared to other similar firms, organisations such as AIMA provide a ‘Sound Practices to Cyber Security Guide’ which is based upon extensive research within the Alternative Investment sector.
It’s important to acknowledge and understand that the Cyber Security space is evolving all the time. The technology solutions and businesses processes that may have been adequate just 12 or 18 months ago may need to be changed, replaced, or enhanced.
Therefore, your Cyber Security plan and strategy needs to include continual improvement and reviews, as the risks are changing all of the time and therefore your provisions to mitigate those risks also need to evolve.