With 557 reported data breaches in 2018, it’s safe to say that cyber security should be a top priority for all organisations.
Most organisations are already well-aware of this threat and are pouring money into their security budgets. Gartner estimates that worldwide cyber defence spending could hit $114 billion (about €102 billion) in 2019, as organisations tackle the growing threat of cyber crime alongside the compliance requirements of the GDPR (General Data Protection Regulation).
But before opening up your chequebook, you need to make sure that any investments address the full range of vulnerabilities in your organisation.
Too many people believe that cyber security is just about technology. However, you also need to ensure that you have the correct processes in place to get the most of those technologies and train staff to avoid costly mistakes.
It’s only when you invest appropriately in each of these three domains that you can be confident in your organisation’s cyber security posture.
So, what do those domains involve?
The ‘people’ aspect of cyber security refers to staff training. The level of training you provide will depend on whether the employee has a technical or non-technical role.
Non-technical staff don’t need advanced cyber security knowledge, but they do need a strong understanding of the fundamentals. A security awareness programme, or training courses that address specific issues like phishing, are essential.
Technical staff will already have a strong understanding of core security principles, but they should still be part of your general staff training activities alongside further training to help them stay up to date with the evolving threat landscape and security best practices.
Given the ever-widening cyber security skills gap, it might also be worth encouraging employees to gain advanced qualifications that will help them move into more senior roles.
Staff training goes hand-in-hand with organisational processes. These are written instructions on the dos and don’ts of various practices.
ISO 27001, the international standard for information security, provides a complete set of cyber security processes based on the implementation of an information security management system.
We’ve placed technology last to emphasise the fact that it should support people and processes rather than being relied upon.
Technological defences can automate processes that would otherwise take a human a long time to complete, such as identifying threats in your systems. Other technologies act as a first line of defence that weed out threats so that a human doesn’t have to, like spam filters.
But whatever the technology is doing, you can’t assume that it will be 100% effective. For example, email scanning software will send the majority of suspicious emails to employees’ junk folders, but that still leaves a lot of emails that end up in inboxes.
That’s why you need to train employees to spot suspicious emails and give them processes to follow.
Invest wisely with IT Governance
One of the biggest obstacles to effective cyber security is identifying which domains need the most attention. If you get this right, you can be sure that each technology, process and training course complements the other, and that you’re getting the most out of your investment.
You can get advice on how to boost your overall cyber security posture by booking time to speak to our cyber security experts. Whether you’re looking for general advice or want support with specific requirements, our team of experienced data privacy and data protection experts are happy to help.