Many businesses consider themselves protected against cybersecurity risks because they’ve implemented security “tools” or “products”. While that’s an essential component of cybersecurity, it’s nowhere near enough to protect organisations from cyberthreats if you can’t say how they are part of the business objectives.
Businesses can only consider they’re protected when they know what it is they are protecting, and if what they have implemented is focused on protecting just that. A successful security strategy will have a mix of security tools, processes, and policies followed and supported by employees.
They need to understand all the potential entry points for cyberattacks and create a holistic strategy that leaves no door open. However, there are many areas to consider, which makes it easy to overlook some. A risk assessment can help find the correct balance between security and usability, linked back to the business need.
There are five key questions you need to ask to determine your security strategy:
- What does your business need to protect?
Any business with an online presence will have some assets that are critical and material to its operations and can be affected by cyberthreats. For example, if the business runs an online store, or sells financial products online, it will need to protect customer data as well as any IP in the online application that gives the company a competitive advantage. Understanding what data and assets you have and how they relate to the business’s ability to operate safely and in good standing is key to knowing what to protect.
- What is your risk appetite?
What outages is the business prepared to accept? What level of negative media attention can it withstand before it affects the business, whether there is confidential or private data on the network, and, if so, how valuable it is to the business?
- What are the real threats this attack surface presents?
Understanding the reality of the threats you can face can help determine a risk profile. For example, given the right opportunity, hackers can control and monitor the corporate network and create an internal denial of service attack that’s difficult to troubleshoot. This type of incursion typically survives standard malware clean-outs. It’s important to know the real threats to protect against them effectively.
- What are the potential consequences of an attack via this entry point?
The consequences of an attack vary depending on the business but can include disruption to normal operations, including confidential data leakage and privacy infringements. In turn, this can lead to fines under the Privacy Act and reputation damage, particularly if the attacker uses the company’s network to attack others.
- How likely is an attack?
The likelihood of an attack depends on how open the network is to the public and the level of interest in the business itself. Some businesses are less likely to be attacked than others, depending on factors such as the industry they operate in or the businesses they partner with.
It’s important to conduct a security risk assessment, preferably in partnership with a cybersecurity expert. Leaders need to consider what controls should be implemented to protect their business and maintain variety in the right combinations. They should use preventative and detective controls together and make sure they have a response plan that is approved, understood, and tested.
Without conducting a security risk assessment, you may invest too much in security, wasting budget that could be better spent elsewhere. You may also under-invest in security measures, leaving you vulnerable to attack. The key is to get the right balance and place resources where they’ll deliver the best value.
Alex Morkos, Director, Aleron