The current cyber security landscape poses many challenges for business leaders. In November 2022, the Privacy Legislation Amendment passed, increasing penalties for executives and holding them accountable for the security of their organisation with the goal of driving investment in cyber security practices. This has inspired businesses to invest in a strong cyber security strategy, however exactly what that entails remains a mystery to most.

While investing in technology can certainly help secure your organisation, the fact is, most security breaches are a result of human error. According to Verizon’s 2022 Data Breach Investigations Report, “The human element continues to drive most breaches… 82% of breaches involved humans.” A holistic approach that includes ongoing training and education is essential to avoiding the perils of a breach and keeping your environment secure.

At Canon Business Services ANZ (CBS) we work closely with organisations to identify their vulnerabilities and create a plan that mitigates their risk and boosts their overall security posture. In this article we’ll explore the key components of a strong cyber security strategy and how to go about creating the right roadmap for your organisation.

How to define a cyber security strategy

Before implementing security measures within your organisation, you need to cultivate a thorough understanding of your business operations as well as your cyber security goals.

• Cultivate a thorough understanding of your company’s business. You can’t secure what you don’t understand. An effective cyber security solution requires a thorough understanding of your business and the potential risks involved in its day-to-day operations.

• Review your business and IT strategies. An effective cyber security strategy does not exist in a vacuum—in order to be successful, it needs to be aligned with your overall business and IT strategies.

• Assess your enterprise business risk. What are the current risks associated with your business, and what would you like to do about them? What is your ideal security posture? The answers to these questions will help inform your ideal cyber security strategy.

• Recognise your company’s risk appetite. As a CIO, not only do you have to come up with an actionable security strategy, you then need to be able to communicate its value to executives and board members. They’ll want to know what your strategy is going to achieve, and how you plan to measure its impact over time.

• Identify your most valuable assets. Assets can include people, places, services, and information. Your most important assets are likely essential to your business operations; as such, defining them should be the starting point of your cyber security strategy.

• Find your critical data and know where it lives. Knowing where your most valuable data lives, how it behaves, and who has access to it is essential to creating a strategy to protect it.

• Run a cyber security risk assessment. A cyber security assessment can help identify existing vulnerabilities in your environment.

There are several types of penetration tests you can conduct, depending on your goals. As its name suggests, white box testing involves full transparency with the tester, and can help you to understand the types of threats that exist in the current cyber security landscape. In a black box test, no information is provided to the tester. This type of test is most useful for identifying your weak spots and how to manage them.

Factors that impact the effectiveness of your cyber security strategy

The characteristics of your organisation will inevitably play a role in the conception of your cyber security strategy. It’s important to keep these factors in mind, as well as how they will impact the effectiveness of your security efforts.

In order for a strategy to succeed, you need to define clear, measurable metrics to report on. For example looking at the risk mitigation of your organisation. This will help you to understand if you’re moving the needle in the right direction.

• Framework. It’s essential to pick the right framework, one that is aligned with your strategy, in order to accurately measure progress. Some companies combine strategies, for example Essential Eight, ISO27001 and NIST. If your organisation needs to comply with certain regulations, you’ll want to choose a framework that is aligned with those regulations.

• Maturity. A lower range of maturity generally means that you’re working with a higher risk. Your responses will tend to be reactive, as you don’t yet have the people, processes, and technology in place to help you respond to potential threats in an efficient manner and you have not defined repeatable processes. As your organisation matures, you’ll create more defined processes, becoming more proactive and more resilient. The goal is to be in a position where you are detecting small threats before they grow to become a more serious incident.

• Investment. As you mature and build out your internal processes, your risk tends to decline. However, maintaining your security strategy becomes more complex and expensive, and it is more difficult to significantly mitigate your risk. It becomes a calculation between the investment required and the actual risk benefit to your organisation; at a certain point it becomes too expensive to buy down the remaining risk, which is when companies start to think about insurance.

• Awareness. People are usually the weakest link in an organisation. 95% of breaches happen because people take an unexpected action, leaving their organisation open to infiltration from bad actors. Technology can only do so much, though being too restrictive will create friction within your daily business operations, making it difficult for people to work. Training and education is key to the maturity and safety of your organisation.

What should your cyber security roadmap look like?

In order to improve your cyber security posture, you need to build a clear roadmap that supports capabilities, minimises known risks, and increases maturity over time. Capabilities can be identified and prioritised based on each organisation’s risk assessment.

The following are examples of capabilities, prioritised by their ability to deliver quick wins and risk buy-down for your business.

1. Awareness and training. Your users are your first line of defense against bad actors and cyber criminals. Make sure they have a thorough understanding of the risks of cyber security and social engineering. Phishing simulations can be a valuable tool in increasing awareness about cyber security risks. However, with AI voice impersonation on the rise, threats are no longer limited to your email inbox, but can come in the form of voice, SMS and in-person attacks.

2. Email security. Spam and phishing emails are becoming increasingly common, with 90% of security breaches occurring through phishing. Spam filters, encryption, and antivirus can be effective measures to guard against these types of attacks.

3. Asset management. We can’t protect what we don’t know exists. Classifying your assets according to vulnerability can help you respond to threats accordingly.

4. Identity and access management. Managing identity access and how people access environments is crucial as this is often a common access point for bad actors. Implement multi-factor authentication (MFA) across as many accounts as possible, especially those that have access to sensitive information. Abide by the principle of least privilege (PoLP) and only provide users access to data, resources and applications on an as-needed basis.

5. End user compute management. Manage and identify your user’s endpoint devices and implement role-based decision making, giving people the access they need to get the job done without putting your organisation at risk.

6. Endpoint detection and response (EDR). Actively monitor the devices that have access to your environment so you can intercept any potential threats early on and respond accordingly.

7. Vulnerability and patch management. Your vulnerabilities are easier to exploit when you’re unaware of them. Make sure you know where your weak spots are and have a plan in place to strengthen them. This includes ensuring all endpoints accessing your environment are keeping their systems up to date, as this will help to reduce your exposure.

8. Infrastructure and network security. The whole point of building a cyber security strategy is to slow down any impact from bad actors, limiting their access while building the concept of defense in depth. This can include asset hardening, network segmentation, and Zero Trust Network Access (ZTNA).

9. Cyber governance, risk and compliance. Make sure that you have chosen a framework that integrates into your overall cyber security strategy and gives you the ability to report your results to board members and executives.

10. Disaster recovery (DR). Disaster recovery of critical systems is crucial. Immutable backup is an essential component of a resilient disaster recovery plan. This ensures that your bases are covered in the event that ransomware encrypts your backup. So, what is a disaster recovery plan? A disaster recovery plan is a comprehensive strategy designed to restore IT operations and business functions swiftly and effectively in the event of a major disruption or catastrophic event. It includes procedures, protocols, and technologies to recover critical systems, applications, and data, minimizing downtime and ensuring business continuity. Immutable backup, a key element in a disaster recovery plan, refers to data backups that cannot be altered or deleted by unauthorized users, providing an additional layer of protection against ransomware attacks and other data manipulations.

11. Detection and response. Early detection is a key component of maintaining the security of your environment. Implementing a Security Operations Center (SOC) or a Security Incident and Event Management (SIEM) platform (or both) can help you to monitor your environment in real time and intercept any potential threats before they wreak havoc in your environment.

12. Deception techniques. Building decoys in your environment can act as a distraction for bad actors, keeping them away from your most valuable assets while also forcing them to reveal themselves. This puts you in a position of power and forces the bad actor to reconsider their plan and potentially abandon it.

13. Cyber security insurance. As threats to cyber security increase, it’s becoming clear that no one is immune. Companies are starting to see the value in insurance to help identify and mitigate their risks, but before you can acquire insurance, you typically need to reach a certain maturity level in your cyber security strategy.

Outsourcing your cyber security capabilities

It’s crucial to ensure that everyone in your company, from your receptionist through to the C-suite, has a thorough understanding of cyber security best practices. Like it or not, the actions they take every day will either be helping to reinforce your cyber security strategy or detracting from it.

You can choose to outsource the implementation and governance of these capabilities, or take an in-house approach. An experienced partner like CBS can support the delivery and implementation of your security architecture, which is essential to good governance and long-term success with your cyber security strategy.

For more information about how CBS can help to define and implement your cyber security strategy reach out to our team today.