Step 1: Risk management as a basis
Every cyber security plan should start with risk management. Not every system and not all data need the same level of security. A Business Impact Analysis (BIA) helps determine the importance of an application in terms of availability, integrity and confidentiality. Based on this classification, it can be determined how many measures need to be taken and in which area. By then mapping the risks and determining which assets are vulnerable to cyber threats, organisations can prioritise and take appropriate measures.
A practical example
Suppose an organisation manages a lot of valuable customer data, but also has an informal chat environment where employees communicate daily. While the customer data obviously requires a high level of security, the chat environment may only need basic security measures. By making the distinction based on risk, you can avoid burdening employees with unnecessary security steps for applications that do not require it.
Step 2: Flexible authentication as a key
A major pain point for many employees is access to systems. Traditional passwords and increasingly complex forms of authentication can cause frustration and slow down processes. But flexible and context-aware authentication measures can significantly improve this. Multi-factor authentication (MFA), for example, is crucial for access to sensitive systems or when working remotely. However, MFA need not be necessary for every access. Instead of rigid rules, you can secure certain systems more heavily and have less stringent access requirements for others. Also consider the form of MFA. It may actually be easier to log in to your laptop with facial recognition. By working ‘passwordless’, you can improve security while optimising ease of use. A nice development here are, for example, passkeys.
Contextual access management
By using contextual access management, systems can adapt to the situation. For example, if an employee works from a known IP address, on a device and in an application they use every day, Single Sign On simply grants access. If the same person works from an unknown location or on a strange device, then an extra factor is requested. In this way, you keep access secure without inconveniencing employees in the daily routine.
Step 3: Increase cyber security awareness
Security is only effective if everyone in the organisation is aware of it. Employees are often the first line of defence, and cybercriminals know this. Human error is responsible for a large proportion of security incidents, for example through phishing emails or insecure actions. By making employees aware of digital threats, you reduce these risks. Awareness trainings are useful not only to make them understand why security measures are there, but also to share practical knowledge on how to deal with digital threats. You can make it easy for users by adding a button in the mail programme to make it one-click to report a suspicious e-mail.
Practical examples and training
Awareness training can include easy-to-understand simulations, such as a phishing test. This simulates what a phishing e-mail looks like, so employees learn to recognise suspicious e-mails faster. The better employees understand why and how they are part of cyber security, the less strict measures may be needed in some cases. With this in mind, make sure you first explain to employees how to recognise and report a mistaken e-mail. You don’t want to give them the idea that you are having them kicked out.
