How to Build a Robust Cybersecurity Strategy

How to Build a Robust Cybersecurity Strategy

Dean Moulden from information security consultancy SRM shares his expert knowledge on how to refine your small business' cybersecurity strategy to ensure it is as robust as possible

By Dean Moulden

Every business has a responsibility to protect the valuable information they hold relating to their organisation, their staff and their customers. Even if you already have a cybersecurity policy, you need to keep reviewing and improving your data security to ensure it is effective. Here are seven considerations to help you refine your cybersecurity strategy to ensure it is as robust as possible:

1. Hackers don’t just target the big fish

It’s not just large international corporates that are the victims of cybercriminals and hackers. Although these high-profile breaches make the news headlines when they occur, this does not mean they are the only victims. 

The reality is that cybercriminals often target smaller organisations – such as those that typically have fewer resources to dedicate to cyber resilience. In fact, the 2019 UK Cyber Security Breaches Survey found that 31% of micro and small businesses identified a cybersecurity breach or attack in the last 12 months. The long-term consequences can be far-reaching, particularly in terms of lost future revenue and reputational damage. 

2. SMEs can learn a lot from big business

With considerable in-house resources to produce robust cybersecurity policies that include breach identification, disaster recovery and business continuity plans, big businesses often demonstrate best practice in combating cyber threats. 

Yet it is important for smaller enterprises to understand that they can compensate for a lack of budget and strategic expertise by being more agile and responsive. In smaller teams it is possible to bring about meaningful changes to processes, procedures and infrastructure quickly and efficiently. After all, there simply aren’t the same number of people to consult with, train or manage.

3. Be proactive, not reactive

True resilience comes from being proactive, rather than reactive. A forward-thinking approach can help to minimize risks and even counteract some of the common techniques used by hackers. 

The best way to be proactive is to build a regular test programme into your cybersecurity policies. This may sound like a huge undertaking but a good information security consultant will be able to tailor their services to not only suit your industry but also your budget in many cases. 

4. Vulnerability assessments

One of the best places to start when aiming to set up or develop a cybersecurity policy is with a vulnerability assessment. In simple terms, a vulnerability assessment is like checking that the doors and windows of your house are locked at the end of each day. 

It’s a relatively simple test which can be conducted on a system at any time of the day and can be scheduled for a specific time to best fit around the needs of a business. Vulnerability assessment tools are readily available. The advantage of these, particularly for small businesses, is that they are quick. All that needs to be done is input the details of the devices or web applications which need to be assessed and await the results. 

5. Vulnerability assessment tools

While any member of a business can conduct a vulnerability testing operation, small businesses may not have employees with the knowledge or time to conduct these assessments effectively. What is more, those familiar with a system or network may be blinded by the fact that they are too familiar to see new issues within their own system. 

If the vulnerability assessment is not correctly scoped at the outset it can provide false assurance. Because the test is conducted automatically, the scan will only search where it has been directed to look. Scoping a vulnerability assessment accurately can be a challenge but using an experienced professional will ensure that the tool is used to maximum effect, delivering an accurate and up-to-date picture of your vulnerability status. They will also be able to provide guidance on how to address the issues identified. In the end this will deliver better value. 

6. Penetration testing

If a vulnerability assessment checks your doors and windows, the penetration test prises open those that are looking a little flimsy, exploring the interior and identifying the location of the valuables inside. It also examines the garden, perimeter fence and neighbourhood in which you live, using experience and expertise to imagine how an intruder would approach the target. 

Unlike a vulnerability assessment, penetration testing is carried out manually by a trained cybersecurity professional. The penetration test simulates a real-world hacker’s attempt to gain access to confidential data. For this reason, the process is sometimes known as “ethical hacking”.  

The outcome of a penetration test should be a detailed report into your system’s strengths and weaknesses, while also providing recommendations on how to improve the security of the system based on these findings. 

Given the human involvement and comprehensive report which comes at the end of a penetration test, the cost of a penetration test is higher than that of a vulnerability assessment. But it’s important to think in terms of value rather than cost. If you are investing in cybersecurity, your strategy should be built on secure foundations. 

7. Regular testing programme

Using automated and manual testing in tandem will deliver the most useful up-to-date intelligence to drive your future strategy. Both should be fully incorporated into a cybersecurity policy to ensure that defences are continually updated and improved upon in response to new threats. 

Cybersecurity should be on every board agenda and rigorous testing will ensure you deploy your resources effectively. In the context of the financial and reputational damage of a breach, building a test programme into your strategy is a sound investment. 

About the Author

Dean Moulden is an expert in Digital Forensics and Penetration Testing for information security consultancy, SRM. He holds qualifications as a Certified Ethical Hacker (CEH) and CREST Practitioner Security Analyst (CPSA). Dean manages IT security projects for clients across retail, travel and hospitality sectors.