From cyber 'attacks' to 'knowing your adversary' to 'cyber threats'- it can seem like organisations are under constant siege.
Cyber threats come in several forms, from nation states looking to engage in espionage; the cyber-criminal looking to steal valuable information to use and exploit; and issue motivated groups looking to steal or cause disruption.
It can even include the trusted insider who steals company or customer data and the well intentioned insider, who in going about their job inadvertently loses valuable customer or corporate data.
There is no doubt that cyber criminals can be very adaptable and innovative but the threat environment is a given. It is how you manage the risk that is important.
In a noisy environment it's critical business leaders don't lose perspective. The environment is awash with all manner of technical solutions, promising to give you the edge on detection and prevention. However, it's critical that all business leaders step back and remember that cyber risk is not an IT risk but a business risk and just like every other business risk it needs to be managed.
It's also important to understand this threat cannot be eliminated but the risk can be managed. It's easy to become enticed by a 'risk framework' but like many frameworks, a great deal of time and effort can be invested for negligible effective security outcomes.
All too often cyber security is discussed using technical or military jargon but this just loses the attention and understanding of senior leaders. It's vital that security professionals explain the threat environment and the cyber security challenge in accessible language.
That's why it's important to understand cyber risk facing your organisation. All leaders need to be able to ask and get answers to the following simple, non-technical questions:
1. Know the value of your data: Do you know what valuable data your organisation has? This includes data that is valuable not just to you but to cyber criminals who may wish to steal it. What data would cause you real pain if you were to lose it? You must have a list of that valuable data.
2. Know who has access to that valuable data: Who has administration rights or access to information? Do all your 'trusted insiders' need to have access to valuable data to do their jobs? This question is critical because access to valuable data must be monitored closely. You wouldn't let just anyone have a set of keys to your home, so closely monitor who has access to your valuable data.
3. Know where your valuable data is: You need to know where it is stored and how you access it. Is your valuable data offshore, onshore, in a cloud, or even stored with a third party? Go the next step and ask whether your vendors have shared your valuable data with sub-contractors.
4. Know who is protecting your data: You need to know who is protecting your valuable data and this is really important. Where are they?
5. Know how well your data is protected: You need to know what is being done by security professionals to protect your data 24/7. Are the third parties who have access to your valuable data adequately protecting it?
It is only when you can answer these questions that your organisation will be well prepared to understand the level of cyber risk and how effectively it is being managed.
Read more on the Five Knows of Cyber Security.
Go to Telstra Exchange for more information on security.