Newsletter & Blog

What is Cyber Resilience?

Every business has risk, indeed there is no business without some level of risk.  You take risks every day, with every decision you take.  Is this new customer a risk?  Can I afford to provide some level of credit?  Is this new critical supplier reliable?  And so on.  Of course, you do some form of due diligence to mediate that risk, the aim being to reduce the risk to lowest level possible.  In other words, you undertake some form of risk assessment, whether it’s a formal written process or whether it’s done in your head or in discussion with staff, it’s still a risk assessment.

 

So, a very good question therefore, is why is this not applied to cyber security and by extension, to data protection?  This question does not just apply to small businesses, some quite large, mid-market businesses are very guilty of not applying risk assessment to cyber security.

 

Risk management is all about helping us to create plans in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

 

As mentioned above, there is no business without risk, and it is important to understand what your risk appetite is and how to reduce risks in order to match that appetite. Risk must be recognised and then managed in some way or other, classified in some way.  Many choose a simple High, Medium and Low. This can be easier said than done as we all would like to abolish risk, as if that were an easy and simple option.

 

I often have clients say, ‘We have no clear definition of risk’.  How do they then manage something that they haven't defined? 

 

A clear lack of a definition is an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how to define ‘risk’ forces us to examine what we mean. It makes us ask questions and challenge assumptions.

 

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium, or low, depending upon the perceived hit on the bottom line.

 

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent. 

 

Here at H2 we would argue that it is this lack of understanding of risk management as it applies to cyber security, that lies at the bottom of a lot of compromises of data and the attendant consequences.  How many companies out there, some quite large, leave cyber security to their IT department?  Most of them is the simple answer.  The consequence of this is often that any protections that are put in place, are nearly always technical, when perhaps a procedural protection would be more effective, such technologies are often in the wrong place and poorly configured.  Now I know there are some very competent network engineers out there who will be upset by that, but I’m afraid experience proves us right.

 

The main problem IT department face is that they are always looking for the technical solution.  It must be grasped that cyber security and data protection is a BUSINESS issue, not an IT issue.  It is the business that suffers if a breach occurs, not the IT department or more likely, the IT company you have under contract to run your network for you.  Following on from that comes that what you need to protect, in order of importance, i.e., what puts the business most at risk, is a business decision to decide, not an IT decision.

 

It is critical to identify your information assets, your threats, and vulnerabilities, which will then allow you to identify what is most at risk and target your spend accordingly.

 

None of that is particularly easy, and each company needs to decide whether or not some form of assistance is required to help arrive at the correct solution.  H2 is holding an event to describe this further, you can register on the following link - https://bit.ly/3c5M8mw.  We’ve decided that it would be best to hold off until after the summer holidays and do this in September.  Please look out for the invite and I look forward to seeing some of you there.

 

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services.

 

To learn more about the services we provide please click here https://www.hah2.co.uk/

 

Alternatively, please feel free to give us a call or email

 

T: 0845 5443742

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure