I came across the image that accompanies this and it triggered an urge to go into print on the subject. Setting a budget for Cyber security is an interesting conundrum. Most large enterprise organisations estimate about 5-10% of their overall IT budget needs to be spent on security, although that figure is rising almost annually and some organisations are saying that it is now almost double that. When you have an IT budget in the millions, then that percentage figure is quite high, which explains why the larger IT companies and consultancies concentrate on that market and pretty much ignore the SME market which, according to the DTI, represents around 95% of the UKs GDP.
If you’re an SME what should you be looking at? Well to start with, most SMEs only really have an IT budget in mind for maintenance, ie any maintenance and management contracts you have in place, what a rolling replacement of IT equipment might cost etc. Any additions to the IT suite will probably be figured into any project that you might be planning for the future, for instance any expansion, maybe a new product line or activity, perhaps a move to a new location.
So it remains that risk management is the best way to set any budget for an SME, allowing them to understand their risk and how to mitigate that risk cost effectively. And it also remains that most SMEs don’t fully understand that risk or how quantifying that risk is arrived at. This in turn leads to some stable door slamming, well and truly after the horse has bolted, hence the image at the top of this article. Any retrofit of security is likely to cost considerably more that getting it right from the start.
At H2 we often hear, ‘We have no clear definition of risk’. How on earth can we manage something that we haven't defined? Fair enough. Given this, how can we really know what is meant when we talk about ‘cyber risk'? or more accurately ‘information risk’, for it is the information contained on your systems that must be protected. All information has a value which can be quantified into a monetary value, and that helps you to understand the risk to the bottom line if a loss or compromise of data occurs. We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.
A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk. If only that were an easy and simple option.
Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’? This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium or low, depending upon the perceived hit on the bottom line.
It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent. Don’t try and chase the Holy Grail of perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.
Don't despair, you can still protect yourself from many cyber attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.
It’s worth repeating from an earlier article that H2 has developed an industry leading Triple A (Affordable, Appropriate and Accreditable) risk assessment process to remedy this, and to ensure that your information is effectively protected at the right cost. This is called the Information Risk Assessment and Management (IRAM) process.
But how do you do this? Where to start? He IRAM process works as follows:
- Phase 1– H2 conducts an assessment reviewing your existing information security, data protection protocols, technical security controls, and processes and procedures to determine their effectiveness and appropriateness.
- Determine the Data Assets (computers, mobiles, filing cabinets, whiteboards, servers, people etc – ie everywhere that data is held – hard or virtual copy or in someone’s head.
- Run through each Data Asset (or group of them) against the Controls and Procedures in accordance with your security policies (if you haven’t got security policies then that’s a whole other discussion), to determine which should apply and how they are currently being applied. It’s very useful to use a standard such as ISO27001 for this, even if you have no intention of applying for certification.
- Phase 2– Working to your timescale and budget, H2 implements the findings from the risk assessment process which has used 24K1 ISMS. This could include introducing simple changes to your processes, all the way through to implementing technical solutions that provide effective protection from threats.
- Phase 3– People within a business come and go, and cyber threats and risk are continually evolving. Due to this, H2 works with you to develop an appropriate package of staff training and security system maintenance activities that keep you protected in the long term. Available on a retainer (as needed) or monthly subscription basis, this phase ensures your business is fully IRAM compliant.
If you have a system to help you with this, then that really is the way to go. H2 has partnered with Secure Business Data to enable us to use, and where appropriate, to sell 27K1 ISMS. This is a risk assessment tool that is specifically targeted at SMEs and is therefore very competitively priced. It can come with an annual or a monthly fee, however you prefer. We have adopted this system for use with our IRAM Service.