The actions and measures detailed in each of these advice blogs collectively represent a good foundation for effective information risk management. This blog focuses on managing the risk to your business of cyber attacks.
It’s best practice for a business to apply the same degree of rigour to assessing the risks to its information assets as it would to legal, regulatory, financial or operational risk. This can be achieved without having time-consuming systems in place. Implement a method of assessing and managing risk that’s supported by the Board, senior managers, and staff. Sharing your approach to your employees ensures that they’re aware of risk boundaries and what to keep a watchful eye out for.
What’s the risk of not managing your security risks effectively?
- Increased exposure to risk
- Missed business opportunities
- Ineffective security policy implementation
- Poor reuse of security investment
How can you manage the risk?
- Establish a governance framework. A governance framework needs to be established that enables and supports a consistent and empowered approach to information risk management across the business.
- Determine the business’s risk appetite. Agree the level of information risk the business is prepared to tolerate in pursuit of its business objectives.
- Maintain the Board’s engagement with information risk. The risks to the business’s information assets from a cyber-attack should be a regular agenda item for Board discussion.
- Produce supporting policies. An overarching information risk policy needs to be created and owned by the Board to help communicate and support risk management objectives, setting out the information risk management strategy for the business as a whole.
- Adopt a lifecycle approach to information risk management. The components of a risk can change over time so a continuous through-life process needs to be adopted to ensure security controls remain appropriate to the risk.
- Apply recognised standards. Consider the application of recognised sources of security management good practice, such as the ISO 27000 series of standards. This may not be suitable for all businesses.
- Make use of endorsed assurance schemes. Consider adopting the Cyber Essentials Scheme.
- Educate users and maintain their awareness. Provide appropriate training and user education that is relevant to their role and refresh it regularly.
- Promote a risk management culture. Risk management needs to be business-wide, driven by governance from the top down, with user participation demonstrated at every level of the business.
As always if you need any advice please get in touch.