Cyber Security is on everybody’s mind these days. Every day there is a news item about a breach or attack. It seems the most (if not all) businesses are vulnerable to cyber security risks.
Think about it: We spend a lot of time online, between personal activities on social media , internet banking and all the things we do online for our business.
In business we hire staff via online portals and engage with contractors and freelancers online. We do our business banking and bookkeeping online as well as our email communications with clients and suppliers.
When you add up our daily online presence and then include the fact that the Internet of Things is becoming more and more a reality, there is no denying anymore that the importance of cyber security is a real thing and that it impacts every business, large and small.
One of the things you need to be aware of is the GDPR regulation which starts on the 25th of May 2018.
GDPR is all about privacy protection and personal data and to make sure this personal data is protected from outside attacks.
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
What types of privacy data does the GDPR protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Does your company collect personally identifiable information electronically? If so, you may have to seriously look at your Cyber Security processes and procedures. Especially the ones around management and storage of private data. Every company that does business with a person in the EU is potentially subject to GDPR regulations and non compliance can be very expensive with fines of up to 4% of your global revenue.
As professionals it pays to understand how we can help our organisation to be better prepared. But what are the questions to ask? What conversation is required without going too deep into the technical aspects of Cyber Security.
The challenge is to ask the right questions without going too deep into the technology as this may be the wrong focus at this point of the risk management journey.
It is all about Risk Management.
Earlier this week I was listening to a podcast about rock climbing and the interviewer mentioned that rock climbing is a risky sport. The answer was very appropriate, as the interviewee [his name is Alex Honnold] said.. no it’s not – it’s of high consequence.
[ Alex Honnold – Free Climbing El Capitan at Yosemite National Park ]
His definition of risk is something that you can plan for, something that you can manage and mitigate. Part of that risk management is that you also have to understand the consequence of your actions if something goes wrong.
In his case, being a free climber the consequence of even the slightest oversight, omission or mistake is imminent death. That’s different from big wave surfing (the example he used).. there are many more variables in surfing so while the risk level may be higher, the consequence level is lower because not every mistake ends in death. Maybe a bruised ego or a broken leg but you’ll survive.
What does free climbing have to do with Cyber Security?
It struck me during this interview that this is exactly what we want to bring across in our Self Assessments. Especially when we are talking about Cyber Security Risk Management. Understand the exact path you need to take with the company, and have a clear vision of what you need to do to make it to the destination safely. Manage your risk and understand the consequences of not being aware of the things that are important to the business. This is a great way to prioritise the use of assets and resources within your company.
It also means that you need to be clear on what we know and what we don’t know. What we have considered and dismissed and what we never even thought of in the first place. Every step towards Cyber Security is about consciously taken decisions en educated choices.
The Cyber Security Risk Management Self Assessment helps you to mark a clear path for your company and to prepare for effective and efficient implementation of the required processes, procedures and technical measures.
7 Sample Requirements:
Not all cyber-connected assets are essential to protect at all cost. Some assets, however, are “crown jewels” – worth protecting at all costs. Other assets may be more like “paperclips” where the expense of protection exceeds the benefit. How do you tell the difference?
Do we support the certified Cybersecurity professional and cyber-informed operations and engineering professionals with advanced problem-solving tools, communities of practice, canonical knowledge bases, and other performance support tools?
Does your organization perform vulnerability assessment activities as part of the acquisition cycle for products in each of the following areas: Cybersecurity, SCADA, smart grid, internet connectivity, and website hosting?
Describe the company’s current practices that are used to protect proprietary information and customer privacy and personal information. Does the company have an information classification and handling policy?
Can we describe our organization’s policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior management communicate and oversee these policies and procedures?
What domains of knowledge and types of Cybersecurity-associated skills and abilities are necessary for engineers involved in operating industrial processes to achieve safe and reliable operating goals?
Does your company provide end-user training to all employees on Cybersecurity, either as part of general staff training or specifically on the topic of computer security and company policy?
[part of this article was previously published on Linkedin]