Risk

Management

We all look both ways before crossing the road. At a basic level for our daily lives, this is an example of risk management. In the world of cyber security we need a similar approach.

Sarah Hurley, COO XaaS Ltd

In a bit more detail:

In simple terms, risk is the result of consequence and likelihood of possible disruption to your business.  This could be many things, such as a damage to your good name as a result of a hacker stealing data or a fire in your warehouse closing your business.  Risk management is the combination of identification and assessment of potential threats, providing understanding and prioritisation allowing you to decide the appropriate actions in response, both preventative and reactive. 

Here are 4 quick wins to start you on your cyber-health journey to improve in risk management; click on the icon or scroll down to see more detail:

Policies and standards 3

Get some policies and standards

Assess your third parties

Have a business continuity plan

Start tracking your risks

Get some policies and standards

Policies state at a high level how your company plans to protect itself from various risks.  What type of policies you need and what goes in them depends on the nature of your business, for instance if you don’t have premises (i.e. a shop or warehouse), you are unlikely to need a physical security policy.  Regardless, in most cases you will need a cyber security policy and more so if you are dealing with customer information.

A standard defines ‘how’ the policy is implemented, for example whilst a policy may state that your company must protect itself from damage caused by a computer virus, the standard documents how this should be achieved,  for example, stating anti-virus must be installed on all endpoints.

To get you started, XaaS has provided a cyber security policy that has the key elements needed for most small and medium sized businesses.  We have provided the policy in a Microsoft Word format so that you can download and customise it for your company, to make it easy to implement.  Click here to download our template policy.

At minimum, your cyber security policy should include:

Policies and standards are only useful if your business knows they exist and follows them, so some simple steps you can take to make your policies and standards effective are:

Assess your third parties

Most businesses rely on third parties to provide goods or services.  In some cases, this involves passing over sensitive data (such as customer details) to companies that you have no control over.

When your business passes over this information to a third party, it is your responsibility to ensure that they apply the right level of security to protect this information.  Not all third parties will require assessing, so categorise those critical to your business, including any cloud services that you may use.

Some simple steps you can take to check you are doing the right thing are:

Have a business continuity plan

At its most basic, a business continuity plan is a set of instructions to follow which allow your business to continue working if important systems or data, or even premises become damaged or unavailable.

Understanding on a day-to-day basis what systems and activities your business needs to run will help you formulate a high-level business continuity plan and there are a few simple steps you can take to help keep your business running in the event of an issue.

It is important to check whether any cloud-based services you use provide uptime guarantees, as not all cloud services automatically back-up your data.

Some simple steps you can take to build your business continuity plan are:

Start tracking your risks

In the world of health and safety there is the concept of recording accidents and near misses. This allows changes to be made to avoid the same thing happening again.

Cyber security has a similar concept when it comes to cyber risk.  These are the things that you know your business should be doing but for one reason or another hasn’t fixes, whether this is down to budget, time or other factors.

Risks that are left untreated could eventually expose your business to harm, for instance if you know you don’t have backups and you lose vital data, this could have been avoided by fixing the risk of no backups.

By keeping what is known as a risk register, your business can keep track of  risks and ensure they are fixed.

Some simple steps you can take start your risk register are: