Cyber resilience requires more than just cyber security
To protect themselves from ever-evolving cyberattacks, it is critical for organisations of all sizes, from schools and hospitals to small business and critical national infrastructures, to stay ahead of the game by investing in quality security products. The goal is to stop all attacks, which is often referred to as cyber security. But these defences are proving insufficient in the face of attacks that grow more sophisticated by the day. We need cyber resilience in addition to cyber security, and it's important to understand the difference.
Cyber resilience starts with hitting the nail on the head by nailing the nuts and bolts of cyber security. This includes patching vulnerabilities, detecting and mitigating threats, and educating employees on how to defend company security and how to recover after the threat. But we need to be doing these things continuously, not just once a year.
Get physical
Beyond that, businesses need to build resilience into every part of the business premises. Physical site security is equally as vital as cyber security for securing your data. According to the 2019 Verizon report, physical theft was identified as one of the nine basic patterns of security incidents and data breaches, with paper documents and laptops as the top two stolen physical assets involved in data breaches. One of the most common theft locations identified was the target's work area. Investing in cyber security alone leaves organisations vulnerable, with anyone able to enter their site and uplift property containing company data.
Physical security solutions, such as perimeter fencing and access control, can protect your data by preventing unauthorised people accessing your site. Access controlled doors secure important work areas and keep a record of who is entering or exiting these areas. The option to add two-factor authentication ensures anyone entering an area is who they say they are, and where and when they should be. The business then can relate physical and cyber presence for a higher level of security
While physical security supports cyber security solutions, cyber security is also necessary for protecting physical security solutions. A cyber-attack on your physical security system could give hackers access to data held within the system, or enable them to remotely control your doors, cameras, or alarms. It's vital to keep your cyber security and physical security systems up to date and working together to protect your organisation.
Get a pen test done and stay up to date
The weakest target is the easiest way in. An outdated security system provides an easy way in for hackers, who can then navigate to the data they're looking for, such as personal customer information. To provide the best level of protection, it's not only vital to undertake regular internal and external penetration testing to ensure solutions are hardened but to also keep your systems up to date.
Gallagher, the leading security solutions manufacturer, carries out internal and external penetration testing during development of all its security products to identify vulnerabilities before updates or new solutions are released. You just need to implement the regular software and hardware updates available across all devices to stay current with cyber threats and effectively manage obsolescence.
Being up to date doesn't necessarily mean replacing security hardware with the latest products every time a new cyber threat is announced. It's about being immersed in security information, knowing what current and emerging cyber threats pose a risk to your business, being aware of any vulnerabilities that may exist within your system, and acting to mitigate cyber risks to your organisation.
Security hardware that easily allows firmware upgrades is a simple measure for ensuring your systems stay current for longer. From time to time, manufacturers will release firmware upgrades, which could be in response to emerging cyber threats, or a vulnerability discovered within the system. We know that cyber threats can evolve quickly, so choosing a solution that allows updates to be easily pushed out from a central location, such as Gallagher's award-winning site management software Command Centre, enables organisations to react quickly if a threat is detected.
Get people onboard
In short, creating a secure environment against the ever-present threat of cyber-attacks requires good technology deployed in a secured way with regular updates. But people and culture also make up a large, albeit less predictable, part of your cyber defence.
From a cyber risk point of view, once your technology is fairly locked down, people become the easiest way in. All the end-to-end encryption, upgrades and patches in the world won't protect your business from social engineering attacks, errors by employees who don't understand the risks or, in the absolute worst case, malicious internal threat actors intentionally disrupting your systems.
The human element can create vulnerabilities in some of the most secure environments. But where there's risk, there's opportunity. People and culture can also be a great asset when it comes to your cyber security.
Get proactive
The simplest way to get started when addressing people and culture in cyber security is to ask one question: Who in our business cares about this? If the answer is, "Just me and the IT guys," then it's time to get moving and make cyber security a priority for all your people, from the guard at the gate to the CEO's office. Identify champions across your business who can keep cyber security visible and meaningful to employees, supporting people to help protect what matters most from cyber threats. With the backing of policy, education and culture, people will feel empowered to make a difference, which means cyber security becomes embedded as a "business as usual" approach. In other words, look after your people and they'll be more likely to look after you.