When it comes to cyber-security, there are plenty of misconceptions.
One of the biggest is that cyber-security is of medium or low priority, and responsibility for it lies at a day-to-day, operational level.
This is arguably the most dangerous misconception out there.
Through this series of articles and our masterclass videos produced by Business Reporter, we’ll examine what a strong cyber-security strategy looks like and how to build one through informed investment from the board level down.
These articles draw on Mo Ahddoud’s 25 years of cyber-security experience to explain the logic and common mistakes he’s seen in corporate cyber-security, while our downloadable guide offers you actionable advice to improve your own strategy.
This article starts the series by exploring why cyber-security needs to form part of an organisation’s high-level, strategic planning.
The risks of inadequate cyber-security
Our businesses are part of a world that’s more connected than ever, and that comes with risks. Even though we began to return to normal after the COVID-19 pandemic, 2021 nevertheless saw a 50% increase in attacks on corporate networks compared to the year before.
The trends we’re seeing suggest that no business is safe from cyber-criminals. While the manufacturing industry was the most targeted, finance & insurance, professional & business services, energy, retail & wholesale, and healthcare were all listed among criminals’ frequent victims.
As individuals and organisations, we can’t do much about criminal activity—it’s likely to occur regardless. So we focus on things we can control, and it turns out, one of the biggest dangers facing our businesses is our own misunderstandings around cyber-security.
Why cyber isn’t just a tool or a project
Another big misconception is that cyber-security can be ‘achieved’ through a discrete project of work. There are no off-the-shelf solutions for securing your business. It takes understanding of a business in its entirety to identify risks and work to mitigate them.
There’s no end date where you can suddenly say “my business is now secure”. It’s all about getting to a level of risk that you’re comfortable with and having a plan to respond to incidents when necessary.
How cyber supports business strategy
Security and compliance decisions need to be made at the highest level. Boards understand the scope of data an organisation deals with, and can classify it appropriately.
For instance, marketing data needn’t be secured in the same way that personnel files are. The same is true for supply chains—IT staff might struggle to fully capture and understand an organisation’s supply chain, while executives can offer key insights.
Gartner vice-president and analyst Paul Proctor notes that cyber-security incidents are failures of decision-making rather than technology. This is part of the reason why cyber decisions are often business decisions rather than tech decisions. I compare cyber to a more universally recognised function, sales, in the video below.
In many cases, preventing every single breach may not be possible. Instead, reducing the risk and ensuring the business can recover from an incident is how investment in cyber proves its worth. As with any risk management activity, it is a balancing act between how far the risks are mitigated and the costs of doing so.
Cyber is ongoing
Looking closely at the nature of cyber threats and cyber-security, we can see even more clearly that considering cyber a one-time project is futile. As your business changes, the way you collect, use, and store data may change. Those modifications come with new risks. The way employees access your network might change, like we saw drastically during the pandemic. That has its challenges.
But not only does your business evolve, so does the threat landscape it’s facing. Criminals aren’t resting on their laurels; they’re out there looking for new ways to attack organisations. This means that a solid cyber strategy looks at the present and the future to ensure organisations are secure, can recover from incidents, and can continue adapting to the latest threats.
This is the reason why, when we work with a business, we consider their security strategy to be a live document. It’s something we constantly refer to, review, and improve with the aim of staying in touch with what’s out there.
Make the case for cyber in your organisation
Your competitors are taking cyber seriously, and you should too. But what does building cyber-security into your strategic planning look like?
At Chameleon Cyber Consultants, our mission is to help businesses understand and manage cyber-security risks through adaptable strategies that match the evolving threat landscape. We support customers to achieve commercial objectives whilst remaining secure and compliant without unnecessary expenditure.
Those aims led us to create our strategic planning action guide for cyber security. This downloadable manual is full of actionable ways to embed cyber in your business’s overall strategy and ensure you’re ready for anything.