All businesses are at risk of a cyber-attack, so we won’t bore you with a lengthy introduction on how around 30% of businesses will be breached in the coming year, how more than 60% are not adequately prepared and average cost per breach etc. But while we know that the question is not whether we should invest—because, of course, we must—the question is how, where and to what extent should we invest? How should (a most likely limited) cyber security budget be allocated? What is the balance of where we focus time and resources?
So often, organisations who come to us for help to manage their cyber risk believe that their cyber strategy should cover every part of their business and account for every single type of cyber threat, and therefore worry that it’s going to come with significant cost. And while a blanket approach might be good for total peace of mind, it’s not good for the bottom line, especially considering—for many organisations—cyber security risk management competes with many other prioritised risks and “can we achieve it cheaper?” is a common phrase.
So why is there simply not a single silver bullet cyber security solution that doesn’t cost the earth? As a starting point, cyber threats are not simple, they are always evolving and every business faces a different threat profile. More importantly, cyber security is not a mature sector – only 20 years ago, most of our processes were still offline. But now, nearly all aspects of our work rely directly or indirectly on technology—whether that’s an HR application or project management platform or just simple email and data and document storage. However, as organisations have introduced all these things that streamline business outputs, reduce costs and increase efficiencies, we’ve moved swiftly but bypassed some of the consequence management. Only now, when our reliance on technology is total, are we recognising the impact of malicious threat actors and then trying to cobble together our defences retrospectively.
As many organisations tackle the task of ‘digital transformation’—looking at their product delivery utilising modern technology—some cyber security experts take advantage of the delayed scramble for security and present solutions as more difficult and more expensive than they need to be. By using complicated technological language, abstract concepts and scaremongering, some consultancies exploit uncertainty and confusion. Many organisations feel inhibited in making firm decisions about incomprehensible risks out of fear of getting it wrong. So, instead of putting in place only what they need—based on the threat specific to them and their own risk appetite—they often adopt a blanket approach and invest blindly in ‘silver bullet’ cyber security products, without understanding or being able to measure how effective any of it is. They do so in the hope that the problem will then go away. And it invariably doesn’t and is a massive, disruptive and expensive undertaking, particularly if it’s difficult to get hold of budget and resource.
Finding the right balance
The reality is far less complicated, of course. If you understand the type of threats your organisation and your sector face and how that manifests itself within your business, you can better plan the type of defences most effective to counter that threat. Are you just implementing what you’ve seen elsewhere or been told someone else has? You could be investing huge sums of money in a solution that’s over the top for your specific risk or investing the right amount but in the wrong place or conversely, you might not be investing enough on the right things.
That’s why it’s so important to understand how current security measures within your organisation cover the threats that are specific to your business and sector. If you’re the world’s best online retailer, your threats are unlikely to be in the form of a state actor trying to disrupt your production, or a competitor stealing IP, but simply malicious threat actors stealing sensitive customer data. In that case, there is a proportionate (but not zero-sum) balance in how much you spend on protecting IP or production processes against protection of your client data. That’s not to say it shouldn’t be considered, it should be, but understanding your threat profile and working out what the risk is and where it will come from will help you understand where your time, money and resource should be invested to be the most effective.
Your level of cyber maturity
In short, how can you invest in cyber security measures if you don’t know what your organisation is up against? Whether you’re responsible for your organisation’s IT or Security or Risk and Compliance or you are sitting at board level and worried about how to manage the corporate cyber risk, you’re inevitably also thinking about the cost of doing so.
Therefore, organisations must be able to see clearly how strong they currently are and where they need to be, and in what area of vulnerability, based upon the threats that are specific to the organisation and its risk appetite. A Cyber Maturity Model will account for all these things, including external regulatory and governance requirements, to inform what to invest in, where and how much – removing the need for guesswork (and blind investment).
How we can help
PGI’s Information and Cyber security teams use the Cyber Maturity Model across a wide range of sectors and have in-depth experience in supporting national and global organisations to identify and implement pragmatic, cost effective solutions to manage their cyber risk. Contact us to talk about how we can help: firstname.lastname@example.org or via phone:44 (0)207 887 2699
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Making ongoing compliance easier for you and your business
GDPR is now in force. Make sure your business meets the necessary requirements, providing assurance for all of your customers and employees.
A full audit of your business to assess the level of your compliance against GDPR requirements.
Become GDPR compliant with minimal work. We will conduct an analysis, review, report and implement any necessary changes to your business.
We will conduct simple security assessments to help you understand and mitigate the potential risks to your business.
Get your business ready to face the cyber challenge.
We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture.
PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS).
Find out more on PCI DSS
Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard.
Find out more on ISO 27001
Understand the threats of phishing and malware to avoid being targeted.
Undertake our phishing vulnerability assessment to reduce your organisation’s risk of attack, by measuring the cyber awareness of your workforce.
PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks.
PGI monitor multiple metrics to identify the types of phishing, generate in-depth analytical reports and provide an informed decision to help improve your organisation’s level of security and awareness.
Prevent attacks, respond to breaches and protect your business.
Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.
Implement this cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate information security commitment to your clients, and attract new business by being recognised as a secure organisation.
Find out more on Cyber Essentials Accreditation
The most effective way to identify how attackers target your organisation’s weaknesses is by evaluating your system, your network security, and reporting on any vulnerabilities that could have an impact on your business.
Find out more on Penetration Testing
If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and will begin the process of detecting and eliminating the threat efficiently.
Find out more on Data Breach Response & Recovery
Data Breach Response & Recovery
We prevent attacks, respond to security breaches, and protect your business
Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and preventing future threats of a breach.
A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion.
Find out more on Digital Forensics
We will identify and minimise the risks, as well as the possibility of future risks to your business.
Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.