Newsletter & Blog

H2 Newsletter Edition 9

I recently read the latest from the Eastern Cyber Resilience Centre, a government sponsored body, and it was gratifying to see that another professional organisation was recommending the steps that we've been banging on about for some time, starting with risk management. If you don't understand the threats that you face, with their attendant vulnerabilities, then how are you ensuring that your spend on cyber protections is actually being expended well and effectively? How many mid market organisations out there have carried out some form of risk assessment, have a good handle on their cyber security assets, (and no, that doesn't mean your hardware and software), have assessed the threat and married it all together to provide an accurate assessment of risk to each asset individually. And finally, have taken a decision as to what level of risk is acceptable to them, known as their risk appetite, and then taken the appropriate steps to mitigate each risk down to that acceptable level. Not many I'll wager.

They also agree with me that Cyber Security Awareness Training is of paramount importance and yet many companies simply don't bother with it. How can you expect your staff to understand the threats they face, particularly from scammers, if they haven't had some form of education in that regard.

Next comes security architecture and design. All this imply means is designing a security system which matches the risk. There are any number frameworks that can be used to map one to the other and here at H2 we are completely at home with several of them. There is no thing as a one size fits all and we can mix and match to achieve the aim.

Another very important part of cyber security Identity Management. This means much more than just a password. Did you know for instance that if you want Cyber Essentials certification these days, then 2 factor authentication is a must. And not just for your internal systems but also for any cloud based systems you might be using. Using a good ID management system allows you to be very granular in the access you provide to staff. For example, granting access securely to HR systems only to HR staff and perhaps senior management, or granting access to financial systems only to finance staff. You can be even more granular than that and grant access to payment systems only to those finance staff who are authorised to make payments. You may think you can do that at the moment, but just allocating file access is not a particularly secure way of doing things. ID systems allow you to manage all of these things centrally, you can even outsource the management to your IT provider, assuming of course they have the right skills to handle it.

There is of course a lot more to this and there will be companies out there that don't need it all, or perhaps don't need to go into quite as much depth, but unless you take a good look at this, you won't know. Security isn't about tech, it's about a lot more than that, tech alone won't solve the problem. A good quote from a well respected Harvard based cyber security guru, Bruce Snieder, goes something like, 'if you thing technology will solve your security issues, you don't understand the technology and you don't understand the issues'.