It has been increasingly difficult not to notice the surge in data compromises that have been plaguing various industry leaders in recent months, and as a result conversations about how organisations mitigate Cyber Security risk has become a hot topic. Ultimately, Cyber Security is just another risk that a business needs to manage in the same way as financial, operational, strategic or compliance risk. However, because of the fear the words “Cyber Security” stirs in us all, we can forget that there are actually some very simple ways of alleviating, or at least diminishing this risk.
There are four main types of risk treatment that can be applied to Cyber Security:
Avoiding Cyber Risk is probably one of the most difficult risk treatments, as the only way to truly secure a device or service is to disconnect it from the Internet, lock it in a room with armed guards and power it off. This isn’t a practical option at all (unless, of course, you’re in the military and have ready access to armed guards!) as the unfortunate truth is that trying to avoid Cyber Risk without any form of treatment other than burying your head in the sand is almost impossible to pull off.
This is the category that Softcat’s services generally sit in. We offer a wide range of Cyber Security solutions that help customers reduce their risks. This can be achieved by a blend of different technical controls that will vary depending on what you are aiming to protect. I’ll come back to this a little later.
Risk is frequently transferred via Cyber Security insurance, given the large fines/reputational damage a breach can have. These reimburse customers or the business should a breach occur. Alternatively, organisations can outsource their applications or the security of those systems to a third party with contracts that offer compensation in the event of a breach.
The most common Cyber Security treatment customers apply is acceptance. This is often an appropriate treatment once all other reasonable steps have been taken. It is impractical to think you can insulate yourself from every conceivable threat, so businesses must always accept some level of risk.
Risk treatment is like adding ointment that soothes the sore spot, but is only a temporary remedy to the underlying ailment. So how can you go one step further in the risk race and apply some serious medicine?
The top five things you can do to reduce risk are as follows:
Most attacks are not sophisticated and take advantage of unprotected machines that are not updated. Think about what your strategy is for updating systems. What is the average time between an update being released and deployed? Are you concerned about this window? Perhaps, then, it’s time to patch up those gaps and regularly update your machines as a start to building the barricade between your business and the firing line.
Unfortunately, misconfiguration of applications or services is one of the primary reasons infrastructure gets breached. These bad configurations leave systems wide open to attacks that would otherwise be secure. Utilising the offerings of professional services can enable you to better look at how your systems are deployed to flag up any common errors.
Controlling how devices (especially non-company-owned devices) access applications and services is an important way to stop compromised devices getting behind the security layers of your organisation. More and more personal devices are finding their way into daily business, and having key security measures in place like robust asset management processes will mean that the risk associated with lost or stolen devices is immediately reduced. Likewise, implementing a system for leavers and joiners is imperative to ensure that no sensitive data goes walk-about.
There is no point buying lots of shiny and expensive new security equipment if staff set terrible passwords like their cat’s name or a birthday date instead of adhering to strict password policies. Look to utilise a tool that generates passwords randomly and stores them in a vault. Multi-factor (2FA) can be used to supplement passwords to also reduce this risk.
This will allow you to better understand the risk of each of your systems and provide a to-do list of security steps that need to be taken to get systems up to scratch. On-premise solutions can be deployed to scan the internal network for vulnerable servers. Alternatively, Softcat offers an external vulnerability scanning tool that is both affordable and easy to setup.
If you would like to learn more about better securing your business and how to reduce the overall risk, speak with your Softcat Account Manager or get in touch using the form below.
We would love to hear any comments you have about this article!