Sergey Nivens - Fotolia

Five key checks to ensure a business is ready for cyber attacks

Top of any company’s cyber security checklist should be ensuring that the cyber security strategy is taking all changes in the operating environment into account, says BAE Systems

By considering five key areas, businesses can ensure they are well defended and prepared for cyber attacks, according to aerospace and defence firm BAE Systems.

1. Understand the cyber risk

“New technologies bring new opportunities, but they also introduce new risks,” said Neal Watkins, chief product officer at BAE Systems.

“As companies acquire and integrate other companies and technologies, we need to look at the new risks that brings,” he said in a video aimed at business managers.

This includes looking for potential risks introduced by third parties, contractors and changes in the supply chain.

Top of any company’s cyber security checklist should be ensuring that the cyber security strategy is taking all changes in the operating environment into account.

“It is important to have a living, breathing cyber security strategy that you review and update on an ongoing basis to capture all of these new risks,” said Watkins.

2. Have the right security controls

Once vulnerabilities have been identified, BAE Systems said businesses need to be prepared to make big decisions if vulnerabilities are critical.

“We need to have the courage to make the right business risk decision to ensure that the business not only operates, but that the most critical assets are protected,” said Watkins.

“There needs to be the courage in making the difficult decisions on what systems and services are protected, and at what level, which could be crucial to retaining a customer or client,” he said.

3. Balance business and risk 

At the absolute minimum, business directors need to understand what the most critical assets are and key areas of vulnerability.

“Businesses need to make the right decision that balances security risk against commercial necessity and does the right thing by the business and customers in the long term,” said Watkins.

Leaders should discuss what cyber risk they are prepared to take, and how much they want to invest to manage it.

“There needs to be the courage in making the difficult decisions on what systems and services are protected, and at what level,” said Watkins.

4. Build a defensive culture with security-by-design

Security needs to be ingrained into the company culture, according to BAE Systems. Security by design, said Watkins, involves everybody making sure they are working securely, whatever role in the company they have.

“It’s about everyone ensuring the tasks they complete are secure in terms of process and execution, whether they are writing code in an application, delivering a service or responding to a customer or handling their data,” he said.  

According to BAE Systems, security analytics, threat intelligence and situational awareness can help in discovering where the vulnerabilities are.  

5. Prepare a response

Finally, the security firm noted that no security is completely effective, and there is always a chance of a successful attack.

For this reason, having a plan in place to respond and repair is what makes the difference between a full-blown crisis and a problem that can be tackled.

“There needs to be a thorough, rehearsed and tested response plan known to clients and employees, across systems and processes,” said Watkins.

“In the event of an attack or crisis, people will be measured in terms of how they respond, and making sure you have a well-thought-through, rehearsed and tested response plan is going to be critical,” he said.

The way people respond to a cyber attack or incident, according to BAE Systems, will have a major effect on operational impact and loss of productivity, as well as customer confidence.

Read more about incident response

Read more on IT risk management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Understanding the risk is certainly a key element. Where I work, recent moves to include the CISO’s team in the change management process for both application and infrastructure changes have been able to make a positive change in our cyber security posture with little to no effect on the efficiency of the change management processes themselves. This has helped not only balance business and risk, but it has also helped pave the way for changes in current security controls because people see the benefits of the team’s involvement in the CM processes, and how little impact they’ve had, and are not so resistant when they do come to other areas.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close