Since breaches are becoming more common these days, it’s easy to assume every organisation already has a solid cybersecurity strategy in place.
But more often than we think, many businesses, especially small and mid-sized ones, are still in the early stages of their cybersecurity journey, trying to figure out how to establish a solid security foundation that protects their business well.
In many small businesses, the IT Manager wears multiple hats, acting as a cybersecurity manager, infrastructure engineer, and more.
They might be expected to make strategic decisions, stop systems from working, negotiate contracts, manage budgets and lead support teams.
Being stretched so thin also means they rarely have the time or energy to properly think through a cybersecurity strategy. So we asked our experts: What should IT leaders actually be thinking about when building a cybersecurity foundation?
Figure out the ‘why’ and ‘what’ first
While we all agree that a cybersecurity strategy is a must-have for any business, it’s worth asking the question: ‘WHY’ you’re trying to build this strategy? Having clarity on the “why” gives you direction and helps define what success looks like.
- Are you trying to be proactive and secure yourself better against threats?
- Are you adopting a hybrid working policy that requires a new security strategy for the business?
- Are you trying to comply with any specific regulatory or industry standards?
Once you have clarity on your why, figure out WHAT you’re protecting. This means doing a thorough audit of your data, people, and systems.
Who holds sensitive information? Where is the data processed and stored? What services are business-critical?
Next, do a risk assessment of these assets.
How vulnerable are your systems? What data or systems are more critical than others? This assessment will help you fully understand what needs to be prioritised and protected first – what carries the highest level of threat, and where the greatest vulnerabilities lie.
Align to a framework and implement controls
A good way to build a solid foundation is to align with an industry-recognised security framework. There are plenty of frameworks out there that businesses of varying sizes can adhere to.
For small and mid-sized businesses just starting on this journey, our experts recommend working towards Cyber Essentials Plus and Cyber Assurance from IASME. These frameworks are designed to protect businesses from the most common cyber threats. Once you’ve achieved this basic compliance, you can build on it with frameworks that include additional layers of controls such as ISO 27001, NIST, etc.
This will ensure you have the basics covered and don’t have any obvious vulnerabilities that attackers can easily exploit.
As part of this, you’ll be required to implement controls such as firewalls, an intrusion prevention system (IPS), an intrusion detection system (IDS), MFA, and strong password management.
While frameworks provide structure, there are also a few non-negotiable steps that every business, no matter the size, should look to implement, such as:
- Make sure everything is patched each month. Outdated software and systems are low-hanging fruit for attackers.
- Enforce MFA for access to company resources to stop unauthorised access
- Have strong endpoint protection software so you can get alerts in real time if there’s a breach
- Email spam filter to block out phishing attempts
- Regular security training program. Keep your people informed. They’re your first line of defence and often your weakest link if untrained.
Build resilience with an incident response plan
A good cybersecurity strategy isn’t just about preventing attacks, it’s also about building resiliency in your business.
Many businesses think they can deal with an incident efficiently if they have some cybersecurity tools and work with an IT partner. While that’s partially true, you can never properly respond to an incident without a real, thorough, documented, tested, and cross-functional plan.
Many treat an incident response plan like a checkbox exercise, something to do to get cyber insurance or meet some compliance requirements. They don’t document all their processes or test them. But this is where your entire ability to recover from a cyber incident really lives.
You need:
- A proper communication plan
- Clearly defined roles and responsibilities
- Documented processes
- Regular testing that replicates real breach scenarios
- An incident mitigation, recovery and review strategy
We’ve seen organisations waste critical hours trying to figure out who’s supposed to say what to whom in case of a breach. But when everyone knows their role, and you’ve got templates and protocols ready to go, it’s just a matter of executing.
Training and awareness
43% of UK businesses experienced a breach or cyber-attack in the last 12 months, with phishing being the most common type of attack, experienced by 85% of businesses.
You can have all the right processes and controls in place, but your most vulnerable link in cybersecurity is your people.
Regular phishing training, simulation exercises, and awareness programs can reinforce the idea that cybersecurity is everyone’s job and create a security-first culture in the organisation.
Rinse and repeat
Cybersecurity is never a “set it and forget it” situation. It’s an ongoing process. Things change fast – new threats emerge, new technologies get adopted, and new policies become essential. For example, AI policies have become so important now, but that wasn’t the case a year ago.
That’s why continuous monitoring and improvement are crucial.
At a minimum, review your policies and processes annually, but ideally, it should happen more frequently. Many industries now require quarterly vulnerability scans, pen testing, or other assessments. For instance, banking companies often need these done every 6 months as part of their contractual and regulatory obligations.
Your tools and procedures should provide a consistent and repeatable way to assess, correct, monitor, and improve cybersecurity. The frequency of scans and assessments will vary depending on your business type and industry, but a good practice is to complete assessments quarterly, vulnerability scans every 1-3 months, and user training every 4-6 months.
So there you have it. A few strategies to build your cybersecurity foundation. If you don’t have the right resources to help you build this foundation internally, work with a cybersecurity partner like CloudClevr to advise you. Because it’s not a matter of ‘if’ your organisation will face a breach, but ‘when’.
