Demystifying Cyber Security Compliance

Cyber security is a phrase being debated in many board meetings at the moment, with some considering the broader category of information security.

Unfortunately, the sheer breadth of solutions, industry acronyms and “best in the world” vendors make tackling the cyber security risk a daunting task.

If cyber security is the buzzword, everybody’s next least favourite term is compliance.

The completely justified worry about the threat to everyone (organisations and people) by cyber criminals is driving more suppliers, insurance brokers and tenders to quote “compliance with X standard” as a prerequisite.

While we’re seeing this across the board, it is particularly prevalent in organisations that are in public sector supply chains where compliance with ISO 27001 and/or Cyber Essentials is a requirement.

20 seconds to comply

So why are standards so difficult to implement? At the risk of making sweeping generalizations, it’s because many organisations treat them as a target (getting a certificate on the wall) rather than a tool to help improve security. They rush to get standards done against a timeframe rather than against a set of outcomes (e.g. “we must have 27001 by x date” rather than “let’s get accredited at x milestone”).

Information security standards provide a clear set of activities and routes to improving your information security and when followed, significantly reduce the risk to your company.

Security standards help kick start the risk reduction process (often called risk treatment) by providing either prescriptive controls that must be applied (as is the case of Cyber Essentials) or a broader set of good controls (as provided by Annex A of ISO 27001).

It’s just risk…

Mature companies are generally pretty good at managing traditional threats that pose a risk to their business such as fire, theft, legal action, etcetera. Information security should be approached in the same way, though due to its complexity just requires a more granular approach and many – though not all – of the mitigations will be technical in nature.

As with any risk, security risks have varying levels of impact but as demonstrated in recent high-profile attacks, cyber attacks are particularly devasting due to the financial penalties (in the form of fines), financial costs, operational downtime, customer confidence and significant reputational damage.

Where to begin?

If you want to protect something, you need to know what it is first – sitting down and deciding that you need a strategy to protect “some stuff” is never going to end well – and so it is that you need a list of all of the assets you want to safeguard. This list – or register – cannot be completed by a single person, the whole business needs to be involved in ‘asset discovery’, typically via discovery sessions held with each department to find out what is critical for them.

While asset types and their priorities differ from one organisation to the next, common asset types include physical assets (buildings, IT equipment, paper records, manufacturing equipment) and digital assets (documents, financial data, websites, email data, domain names).

Once you have your first draft of the information assets you want to protect, you need to start thinking about the vulnerabilities they have and the threats to them. For example, employees are vulnerable to social engineering – the threat here is typically confidence scam criminals. Likewise, software has vulnerabilities that are flaws in code, the threat to these is cyber criminals or perhaps employees looking to gain unauthorized access.

Next, you need to consider how likely the threats are to occur, and what the impact is if they do occur – this provides you with a prioritised list of risks, so you can start identifying mitigations for them.

When should we do it?

Now. Many organisations get stuck at the first hurdle and so never start but as the saying goes, don’t let perfect be the enemy of good. If your first attempt at a cyber security strategy only reduces a small number of risks, those are still risks you had yesterday but don’t have today and your next attempt will be even better. Begin!