A legitimate question for any business owner, and one that deserves a clear and unambiguous answer. If you don’t already have a basic understanding of what cyber security is, take a look at this simple explanation (a 2-minute read) http://www.amethystrisk.com/cyber-security. For something more detailed, try this http://www.ciso-central.org/organisation/a-tour-of-cyber-security/cyber-security-introduction.
It’s fair to say that cyber security, and security in general sometimes have a bad reputation. Security is often viewed as a cost, and an activity that inhibits rather than enables business. Of course there are costs associated with security, but they should be entirely justified when properly balanced against the value of the assets that are being protected. One of the first challenges is therefore to have an understanding of what those assets are, and their value to your business. This may seem daunting, but it doesn’t need to be. Assets should be grouped into some basic categories such as:
It’s often said that people are the most valuable asset within a business; while this may be true, it probably seems impractical to attach a financial value to them. However, there are ways you can think about the value of people, for example by considering the cost to your business if they are not available. Key-man insurance has been offered for many years, recognising that certain individuals may have such critical functions within a business that insurance is required to cover the eventuality that they become unavailable. So look at the people within your business and try to estimate the costs if some or even all of them are not available for say one week, one month, and three months; you should quite quickly be able to gain an appreciation of the ‘value’ of these particular assets.
Valuing physical assets should be more straightforward. Some may or should be recorded within your accounts, with figures for depreciating assets such as IT. Buildings, furniture, and equipment can all be valued so for example, if you have incurred capital expenditure of £100k on a special item of equipment, the value of which depreciates at an annual rate of 10%, you would want to make sure that the cost of providing security for this equipment is proportionate. Of course, if the equipment is large, heavy and/or bolted to the floor and therefore not vulnerable to theft, it is reasonable to assume that you would invest less on security than if it were small and man-portable. None of this is rocket science, although in essence what you are doing is a form of risk assessment.
For information, the same principles apply, and you need to know the financial impact if the confidentiality, integrity, and/or availability of your information is compromised (refer to the hyperlinks above).
Certainly for most small and medium sized businesses it should be possible to address a lot of this internally and without specialist/external support. It might be a particular challenge if you are a micro-business, with little or no capacity for anything other than getting the job done, but then you probably have most of the answers in your head, so at least try and write them down and get a second opinion or ‘sanity check’ from a colleague or friend. Similarly for larger and perhaps more complex businesses it may be necessary to either invest in recruiting a specialist security person, or seek support from an appropriate external third party.
All of the above I would place under the heading of prevention. It’s just like your home insurance. We all take security precautions in our homes to prevent bad things from happening, and the same approach makes perfect sense within our businesses. However, there is an additional reason for doing cyber security in the business context which is to enable business growth and directly add to the bottom line. Even a small business should have a plan with some key targets and objectives and it’s useful to look at these and understand specifically how cyber security can contribute to achieving them. Below is a brief example, showing redacted extracts from the business plan of a UK organisation with a 2015 revenue of £922m.:
- A system wide information environment which will enable all participants to have full access to the right information at the right time.
Cyber security is a key enabler for this objective via defining and implementing appropriate requirements such as role-based access.
- The plan is for 85% contingency capability within 10 days of a catastrophic event.
This requirement relates to business continuity and disaster recovery, both of which are key controls of cyber security.
- Develop a suite of information and data services to leverage existing capabilities in an addressable market of c.£65m per annum.
Any provider of information and data services has an obligation to ensure they are always available (availability) and that they haven’t been accidentally or deliberately corrupted or modified (integrity); these are both key tenets of cyber security.
Arguably the most compelling of the above is the third example where a specific market value has been estimated and it is obvious that in order to achieve market penetration, the information and data services will need to be available when and where they are needed, and their integrity can be assured.
In summary, the fundamental principles of cyber security are simple and straightforward, and unless or until you become involved in specific technical aspects you do not need any deep specialist knowledge. Addressing cyber security will help to prevent bad things from happening to your business, but of equal importance, it will help you to achieve business growth and success.
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, Humber Business Resilience Forum , its directors, members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.