I read a post on LinkedIn the other day, discussing the principle of Secure by Design.  It’s a very interesting topic and one that correlates perfectly with my recent posts on the issues surrounding SMEs, and their attitude to Cyber Security, and the posts about risk management.

What do we mean by Secure by Design?  Well, it’s all about identifying and managing your risks, so your future cyber security strategy, and the resources needed to fulfil that strategy, might look very different to how it’s structured today.  It will take a clear business focus, with the management team clearly communicating the business requirements to the IT and cyber security teams, so that everything is in alignment.

Let’s look at how most SMEs approach cyber security today.  To be fair to them, their focus is on obtaining IT solutions that support the business, and obtaining them as cost effectively as possible, and with the minimum of support costs.  Cost control is vital to many SMEs.  This means that they are extremely reluctant to spend money on what they see as not being part of their core business.  Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.

The approach most take is to trust their IT provider to give them the protections they need.  Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model.  What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because the SME is cost constrained, is targeted where it’s needed and will be most effective.  In other words, the technological approach taken by most IT support company’s, will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections, are fit for purpose?  Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

We need to manage risk to enable us to make the best possible decisions, based on our analysis of future events and outcomes. Whilst the future can be anticipated to an extent, there are limits to how much it can be anticipated.

Business risk, in terms of cyber security, encompasses all aspects of protecting your assets, including computer systems and networks, from unintended or unauthorized access, change or destruction. Cybersecurity includes controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorized access or attack.

Cybersecurity protects organisations from malicious cyber-attacks and data breaches. A comprehensive cybersecurity strategy should include preventive measures such as strong authentication protocols, encryption, and threat intelligence analysis; detection mechanisms to rapidly identify attacks; response plans to quickly mitigate the damage; and recovery procedures to help recover after an attack. All these operational capabilities can help ensure organizations are better prepared to defend themselves against potential threats.

This differs from the purely technical approach which is a branch of cyber security focused on protecting computers, networks, and programs from unauthorized access to data either by hackers or other malicious players using tools such as firewalls, anti-virus software, intrusion detection systems and more to prevent and defend against attackers. It is subservient to the overall strategy, which is focused on People, Process and then Technology.

A good starting point is an acceptance that risk can’t simply be abolished. Risk must be recognised and then managed in some way or other, classified in some way, many choose a simple High, Medium and Low. And whilst we would all like to abolish risk, that won’t happen.  There is no business without some risk, the trick being to minimise risk to an acceptable level.

You will often hear the claim, ‘We have no clear definition of risk’. How on earth can we manage something that we haven’t defined?  Fair enough. Given this, how can we really know what everybody else means when they talk about ‘risk’?

We can see a clear lack of a definition as an essential aspect of risk management. The fact that organisations won’t necessarily know exactly how everyone defines ‘risk’ forces us to explain to each other what we mean. It makes us ask questions and challenge assumptions.

Simply put, of course, a definition for an individual organisation may simply be this question for each business asset or process, ‘what would the risk to the business be if this process/asset was corrupted/denied/compromised or lost’?  This gives us 4 risks, data corruption, denial of access, lost and compromised data/hardware/software etc, and it allows us to immediately assign a level to that risk of high, medium, or low, depending upon the perceived hit on the bottom line.

It’s a false and dangerous notion that you can fully understand and manage all risk. Instead, you should approach this with a sense of realism and pragmatism. Breaches of cyber security can and do happen to anyone, even the most diligent. 

Don’t try and chase the Holy Grailof perfectly secure systems and a risk-free business; just make sure that you have thought about what can go wrong, and that this thinking has influenced your decisions.

Don’t despair, you can still protect yourself from many cyber-attacks by following good risk management techniques that define what controls you need to put in place, be they procedural or technical in nature.

In summary Risk Management is a proactive attempt to recognise and manage internal events and external threats that affect the likelihood of a cyber-attack or data breach.

• What can go wrong (risk event).
• How to minimise the risk events impact (consequences).
• What can be done before an event occurs (anticipation).
• What to do when an event occurs (contingency planning).

Of course, we do hear the argument that an SME can’t get involved with Secure by Design because they can’t afford the resources to do so.  We suggest you have a word with us and see how we can help in a cost effective way that won’t break the bank.