Sergey Nivens - Fotolia
1. Understand the cyber risk
“As companies acquire and integrate other companies and technologies, we need to look at the new risks that brings,” he said in a video aimed at business managers.
This includes looking for potential risks introduced by third parties, contractors and changes in the supply chain.
“It is important to have a living, breathing cyber security strategy that you review and update on an ongoing basis to capture all of these new risks,” said Watkins.
2. Have the right security controls
Once vulnerabilities have been identified, BAE Systems said businesses need to be prepared to make big decisions if vulnerabilities are critical.
“We need to have the courage to make the right business risk decision to ensure that the business not only operates, but that the most critical assets are protected,” said Watkins.
“There needs to be the courage in making the difficult decisions on what systems and services are protected, and at what level, which could be crucial to retaining a customer or client,” he said.
3. Balance business and risk
At the absolute minimum, business directors need to understand what the most critical assets are and key areas of vulnerability.
“Businesses need to make the right decision that balances security risk against commercial necessity and does the right thing by the business and customers in the long term,” said Watkins.
Leaders should discuss what cyber risk they are prepared to take, and how much they want to invest to manage it.
“There needs to be the courage in making the difficult decisions on what systems and services are protected, and at what level,” said Watkins.
4. Build a defensive culture with security-by-design
Security needs to be ingrained into the company culture, according to BAE Systems. Security by design, said Watkins, involves everybody making sure they are working securely, whatever role in the company they have.
“It’s about everyone ensuring the tasks they complete are secure in terms of process and execution, whether they are writing code in an application, delivering a service or responding to a customer or handling their data,” he said.
5. Prepare a response
Finally, the security firm noted that no security is completely effective, and there is always a chance of a successful attack.
For this reason, having a plan in place to respond and repair is what makes the difference between a full-blown crisis and a problem that can be tackled.
“There needs to be a thorough, rehearsed and tested response plan known to clients and employees, across systems and processes,” said Watkins.
“In the event of an attack or crisis, people will be measured in terms of how they respond, and making sure you have a well-thought-through, rehearsed and tested response plan is going to be critical,” he said.
The way people respond to a cyber attack or incident, according to BAE Systems, will have a major effect on operational impact and loss of productivity, as well as customer confidence.