Directors Cyber Responsibility
Back in the old days, when I first started working in this sector, cyber security had a different name – we called it IT security. Now you may or may not like the ‘cyber’ moniker (plenty of my colleagues really dislike it!) but it does at least get us away from thinking that protecting your organisation from hackers is just a problem for the head of IT. Which leads us to the topic of today’s post – if you’re a company director what should you be doing about cyber security?
To start with the ever-helpful National Cyber Security Centre (NCSC) have produced a short list of discussion topics for the board, which you can read here:
Now, I recognise these are all technical questions, despite what I said above about this not just being an IT problem. Of course, the reality is, some of the key components of your cyber security strategy will be IT related but changing culture and adopting new technologies will require the support of the board and, as you work through the solutions the NCSC recommend, you’ll note that not all are technical.
Getting your cyber security posture in good shape will require input from HR (for managing new and departing staff, and staff awareness training), legal (you may build security requirements into contracts) and of course everyone who uses your computers and handles your data will need to be onboard with any new processes and technology.
I would recommend that medium or large company has a defined cyber security strategy, starting with an assessment of your current posture which can be used as a baseline for defining what steps need to be taken, in which order and how much money you need to spend (restricted of course by how much you have!).
Again, you can look to the NCSC for some guidance here. The Cyber Essentials scheme is a cyber security framework and compliance standard created by the UK government. Even if you don’t want to become accredited, it is a useful set of guidance for informing your cyber strategy. You can find more information here:
For smaller companies none of the above should be difficult, though if you have not thought much about cyber security before it might still require some organisational changes. If you are a big user of cloud services (such as from Microsoft or Google) then you can use the tools they provide to give you an extra layer of security. The key thing is to make use of the good guidance that is available and take concrete, practical steps to protect your organisation and customers data.
If you have questions, want help getting started, would like some training, or would like extra visibility of who is accessing your cloud services and what they are doing, please get in touch.