Annabel Berry, CEO, Sapphire, explains that having real visibility is key to addressing risk in order to gain a forward-looking view of the vulnerabilities and threats to the legal sector
According to the Oxford Dictionary, the definition of risk is ‘to expose (someone or something valued) to danger, harm or loss’.
Given that data has now taken over from oil as the world’s most valuable resource, it is more vital than ever that businesses are able to fully quantify the risk to their business against current and emerging cyber threats and ensure their valuable or sensitive data does not come to ‘danger, harm or loss’.
In its Cybersecurity Toolkit, the Law Society highlights key areas of cyber risks to firms such as malware and the evolution of cloud computing. We too see these as key areas to address, ranking alongside insider threat, compliance and visibility in the top five areas of concern that were highlighted in our most recent survey to chief information security officer’s, IT security Professionals and industry experts at our conference, NISC. These are common themes we see across all UK sectors.
However, gaining real visibility is key to addressing risk, not only to identify events or breaches when they occur but in order to gain a forward-looking view of the vulnerabilities that could be compromised and understand the real threats today to the legal sector; external or internal, malicious or accidental.
Only when you have full visibility can your firm gain a true understanding of how effective your current IT security programme is today, how it needs to develop alongside business initiatives and strategies moving forward or where th real risks lie. Without this, it is challenging to adequately plan on how best to prioritise, protect against the real threats to your organisation moving forward and decide where best to invest to mitigate risk.
So, if visibility is key to understanding what the risks are, how is it possible to gain that view?
Your current security posture
We recommend that the best starting point is to ensure that you have a full picture of all of the assets within your infrastructure and then to test and review how well those assets are being protected by the existing technical controls in place and where the gaps lie. At the heart of many breaches are the age-old issues of patching, weak passwords and over-privileged access for users. Measuring and then addressing these areas can often dramatically minimise an organisation’s risk.
Industry policies and frameworks
In parallel, an exercise should be carried out to review the policies and frameworks in place and how well they are being met or understood by staff and users. Whether a business is subject to industry regulations or are merely choosing to follow best-practise guidelines such as ISO27001, NIST or Cyber Essentials, it is key that these are reviewed to ensure they are remain suitable for your business as it expands and evolves.
Incident response planning
Finally, an evaluation of IT security procedures should be undertaken to analyse if those procedures are being followed, particularly in the event of a breach or incident occurring. Being able to respond quickly and effectively to an incident is key. Breaches will inevitably happen, it is how effective an organisation is at responding to that threat that will determine the risk that incident poses to the business.
Resources and investments
Knowledge is power. When these reviews are undertaken, is it then possible to quantify the true cyber risk to an organisation and decide on an approach to address them; either taking steps to remediate and mitigate or to acknowledge and accept the risk – it has to be a pragmatic and balanced view.
Cyber awareness is at an all-time high and the pressure on IT security teams is unprecedented, with resources often stretched to capacity. It is critical for firms to be able to fully understand the risk to their business to be able to more effectively assign resources to the areas that can directly minimise their risk posture or to assign IT budget spend in the areas that are most critical. That can only be done through effective and planned reviews which are measured in line with industry standards or best-practice guidelines. After all, we don’t know what we don’t know and what we don’t know, could damage us.