Cyber-security is shifting. In our annual survey of UK businesses' adoption of emerging technology, we found that a number of large organisations are taking a new approach to protecting their networks. They’re no longer waiting for cyber-attacks to strike before responding. Instead, they’re harnessing data to find weaknesses in advance. Experts call this ‘proactive security’.
What are the benefits of this approach? How does it work? And is it practical for your business to adopt? We spoke to Saket Modi, co-founder and CEO of Safe Security, one of our strategic partners that provides proactive cyber-auditing for many of our customers, to find out more.
The threat to businesses has increased, according to 65% of business leaders. Many blame this trend on the pandemic. Global workforces have been forced to use personal and work- devices on home networks, which are often less protected.
The average cyber-attack in the UK costs a business £8,000. But this figure can be a lot higher, especially when you also consider the disruption to your operations and damage to your reputation. On top of all this, you might also face a fine for a data breach.
“Cyber-attacks are continually on the rise in frequency, sophistication, and expense. It's not a matter of if, but when, a cyber-attack will impact an organisation,” says Modi.
It doesn’t help that you have a limited view of the threats you face. “Reactive cyber-security is like driving a car while looking in the rearview mirror,” says Modi. “A firewall tells you only about network security, antivirus products tell you only about device security, and a security operations centre will alert you to a cyber-incident only after it has occurred.” This means you’re unprepared and only responding to and recovering from cyber-attacks.
To take a more proactive approach, you need to remove silos and view your network as a whole. You can carry out a cyber-risk audit to assess your IT for weaknesses. You then analyse the severity of each risk by considering how it would occur and how bad the impact might be if it does.
You need to do this regularly to keep up with changing threats, which can be time-consuming. That’s why many businesses ask us to do it for them, with support from Safe Security. Modi says: “We pull in signals across people, processes, and technology for both first and third parties. This holistic real-time analysis gives leaders the transparency and context they need to measure, manage, and mitigate their cyber risk.”
All this information is continuously monitored and can be viewed at a glance in a single dashboard. But the platform also gives you an easy to understand Safe Score, which works on a scale of nought to five. “The higher the Safe Score, the lower is the likelihood of getting breached, and vice versa,” says Modi.
Just as you need a clear view of security across your organisation, everyone in your team needs to be more aware of cyber-threats too. But that’s easier said than done.
Many businesses tell us ‘insufficient internal skills’ is the biggest challenge they face for the next five years. This is reflected in the UK Commission for Employment and Skills research, which says the country needs 518,000 extra workers to meet the digital sector’s demands for this year alone.
“Skills shortage in cyber-security is a big challenge globally,” says Modi. But he thinks Safe Security can make up for a lack of specialists. “Cyber-risk quantification brings that missing business context to security conversations through the one score that matters to drive decisions – the ultimate dollar value impact.” This means your Chief Information Security Officer (CISO) could simply explain security issues to anyone in your organisation using a Safe Score or a clear financial cost, rather than using technical jargon only a select few understand.
You can also put clear rules in place regarding ‘safe browsing’ online, what sort of information they shouldn’t post online, and how to check emails for warning signs that they might be from a scammer. To get started, try our hazard perception interactive tool for advice on turning your people into a human firewall.
While an advocate for proactive security, Modi stresses every business is different, saying: “It is essential to have a customised cyber-security strategy.” He thinks organisations should consider the size of their business, available budget, where they’re based and even their industry.
To put the right strategy, tools and support in place for your organisation, start by considering what you want your cyber-security to do, understand the risks to your IT estate, and think about your budget. Bringing in stakeholders from across your business can help you identify security risks you hadn’t thought of, as well as get the rest of your team to support the strategy.
We’re here to help. Our experts can help you develop a security strategy, install the right security tools for your needs and provide ongoing support. We can even manage your cyber-security services for you, including cyber-risk auditing from Safe Security.
Many businesses benefit from partnerships like this. 51% of business leaders – and 56% of public sector ones – tell us they now consider the role of partners essential. This is partly because it can save you the cost of training or employing extra people. But it also frees up your CISO and wider IT team to focus on the future of your organisation.
Modi says he often sees this in the way that customers rely on a mix of our managed services and his platform: “Safe Security removes silos and reactive cyber-security, and adds a business context to it. With BT’s vast expertise in managed security services, managing and mitigating vulnerabilities is more efficient. So customers can manage cyber-security risk as a part of their enterprise risk strategy. This enables businesses to measure, manage and mitigate risks in real-time.”