7 March 2018
Security controls executives should be asking their information security team about
Less than a third of CEOs and COOs are well-informed on cyber security issues, according to a recent survey by recruitment firm Harvey Nash. This shows a significant disconnect between the executive board and the cyber security professionals who work for them.
Stuart Jubb, managing director of cybersecurity consultant firm, Crossword Cybersecurity, says it’s important that senior management are knowledgeable about the threats a company is exposed to and how to reduce these risks. ‘This shows a commitment to cybersecurity from the top down, increasing your chances of spotting a breach before it happens, and taking the necessary steps to prevent it,’ he says.
If you are a board member who wants to increase your knowledge, and therefore, your firm’s cyber security, Stuart suggests reading the NCSC 10 Steps to Cybersecurity. We’ve summarised some of the more salient points here:
1) Information Risk Management Regime
This is a good place to start as it establishes government structure and determines the risk appetite of the company. It allows a board to manage the risks and sets the culture of the organisation through the supporting policies.
2) User Education and Awareness
As Centor has written about previously, you can have solid controls in place, but your people are often the weakest link – most breaches will have a human element to them. Users should be trained on the technical controls in place and be made aware of policies and procedures.
3) Incident Management
Even with all the correct training and procedures in place, a security incident is inevitable, so it’s important employees are made aware of what to do if this happens. This should be rehearsed and refined regularly so that everyone knows their role and to reduce the impact of an attack.
4) Home and Mobile Working
It’s common now for companies to make it easier for their employees to work remotely. There are many benefits to this but it also leaves the business more exposed to cyber breaches. There should be policies and procedures in place so that users know best practice when they are using their devices remotely. Mobile working, in particular, can leave a company particularly vulnerable, so extra precautions should be taken, including secure device builds, encryption, and antivirus software installed on all mobiles, laptops and tablets.
5) Managing User Privileges
Your IT users should only be given access to systems they genuinely need to do their job. Staff members’ roles often change so this should be regularly reviewed to ensure access is kept to a minimum.
6) Removable Media Controls
Removable media such as USB disks is a common area that attackers exploit to introduce malware. Many organisations choose to remove the risk entirely by not using USBs and similar devices, but this is not always possible. If this is the case, ensure it is carefully controlled, and consider other solutions, such as secure dropboxes.
7) Third Party Supplier Management
Many attackers are now targeting third party suppliers in their attempts to gain access to companies. It is important, therefore, to ensure your suppliers practice at least a basic level of cyber security.
These points are part of a robust risk management programme to protect your company. But it’s important to have a Cyber Liability policy in place as well as incidents will inevitably happen. We only recommend cyber insurers whose offering includes a dedicated Incident Response service to assist you should a breach occur.
For more information, please get in touch with:
James Groves, Assistant Manager – Commercial Division
0207 330 8707