The coronavirus pandemic has caused a shift in the way UK businesses consider security. The move to remote working, often without much pre-planning, has tested the effectiveness of traditional security controls. Now more than ever, companies must trust their people to make the right security decisions. It looks unlikely that organisations will revert to their previous operating models. Having experienced the benefits and trials of remote working, employees will look to strike more of a balance between home and the office. Meanwhile, employers will look for a reduction in physical premises and a return on the investment made in remote working solutions.
The pandemic has not, however, changed the impact of security incidents such as data loss. Indeed, it has provided a new avenue for criminals to exploit. The financial costs of security incidents can be huge. A single incident can result in hefty regulatory fines, class action fees and insurers refusing to pay out if adequate control measures are not in place.
There is a tendency to treat security as a standalone discipline and to separate physical security (fences, alarms and guards) from ‘cyber security’ (the complex array of measures designed to protect electronic data). Occasionally there may be mention of personnel security – but more often than not, the human factor is overlooked.
Time for a holistic security model
Traditionally, each discipline – physical, cyber and insider (human) – has a profession and a language of its own. However, at Blacksmiths Group, we believe that to achieve optimal security, businesses must take a holistic approach that:
- Considers the physical, cyber and insider aspects of security as a single risk balanced with other risks facing an organisation
- Sees security as everyone’s responsibility.
In this article, we describe the building blocks of a holistic security model that businesses can apply to manage security risks effectively while saving time and money in the process. The model considers three key areas of an organisation’s security:
- Governance and risk management processes
- Security policies
- Education and awareness.
Governance and risk management processes
Security is often considered separately from other operational risks and is assumed to be the business of ‘security professionals’. In fact, it is every bit as much the business of operational teams, HR, information managers, IT and finance directors. Security investment and resources can easily be wasted on the wrong things if senior management does not understand the business’s full spectrum of security risks.
Governance and risk management best practice
Here are some measures to consider applying to your governance and risk management processes:
- Put security at the heart of your business. Include the safety of people and information in your vision and values, making them central to your organisation's culture and operations.
- Identify security risk owners on the board and at senior management levels. Risk ownership for security may sit with more than one board member, but an individual should be accountable for the topic. At the executive level, establish a senior Security Risk Oversight Group to centrally manage security risks to the business and set security strategy. The group should include operational leaders from across business areas and leaders of the key corporate functions.
- Establish operational groups. While a security lead might chair these, again, these groups should be cross-disciplinary. Their roles are to:
a. Deliver the security controls required by the strategy
b. Monitor changes in the risk environment
c. Report upwards.
- Provide security management information. The operational groups should provide the board with metrics on the delivery of security controls. These should align with the wider corporate risk processes.
- Implement assurance mechanisms, making sure that internal and external bodies carry out independent checks. Ensure that security controls are regularly tested and that lessons learned are implemented when incidents occur.
The first thing to be compromised when a security incident takes place is the policies and processes designed to prevent it. In our work, we have noticed three common reasons for this:
- Businesses often only ever review their policies and processes reactively in response to an incident rather than routinely as part of their strategy
- Documents are often hard to find
- Many of the relevant policies, such as information management, acceptable use, HR and travel policies, may not have "security" in the title or indeed be 'owned' by the security department at all.
Security policies best practice
- Create a Security Charter. The Security Risk Oversight Group should own a document that sets out the business’s security approach and clearly defines roles and responsibilities, including expectations of employees. This document should contain easy to reference links to all relevant policies and procedures.
- Create a single repository for security policies. Make sure that all security policies and processes, including those drafted for specialist teams, can be accessed from a single place. Provide links to associated policies along with clear indications of where to go for help.
- Develop a security standard for third parties. Make sure that you do not forget the risks posed by suppliers and contractors. Your company Security Standard document should detail:
a. The requirements placed on third parties during tendering
b. Contract provisions
c. Minimum security requirements expected of third parties when handling company assets.
Education and awareness
People are often described as “the weakest link” in the security defences of a business. We consider quite the opposite to be the case. Your people can be your greatest security asset and an effective first line of defence when you:
- Provide them with tailored security guidance
- Empower them with simple routes to report security incidents
- Give a proportionate response when they do report an incident.
Security education best practice
Here are two top tips to consider in your security education efforts:
- Form a network of security champions across the business. Each security champion should have formal responsibility for providing tailored security guidance and monitoring security risks specific to their business area. The security champions network can become a key asset for your business in building a secure culture.
- Maintain a security education and awareness strategy. We have found that many businesses base their entire security education efforts on phishing simulations and new joiners’ inductions. These are often viewed as ‘tick-box’ compliance activities and fail to elicit behaviour change. Messages from areas such as health and safety, welfare and information management are normally addressed separately, leading to information overload. It is, therefore, important to develop and maintain a security awareness strategy that is:
a. Based on education and communications that cover all the relevant bases
b. Part of the wider organisation communications strategy.
10 Steps to Holistic Security
The holistic security model described above can be represented as a 10-step process, illustrated in the diagram below.
Implementing the activities described in the model can help your business to:
- Deliver better security outcomes
- Break down unhelpful silos across the business
- Save money and improving efficiency.
Allied with processes such as records management and smart use of data to predict and identify issues before they occur, the model provides the basis of a holistic approach to security risk – whether that be physical risk, cyber risk or even the risk from insiders.
Having a clear understanding of your security risk appetite and the maturity of existing security measures will allow you to identify and address gaps to achieve optimal security. A specialist cyber-security firm can assist you with this.
Blacksmiths is a team of human, physical and digital security specialists who develop your capability to tackle security challenges and defend against complex threats. If you would like to talk to us about the challenges facing your business, you can contact us on +44 (0)20 3880 2282 or email firstname.lastname@example.org.