It’s the beginning of the year and some bright spark in the marketing department has an idea for recycling last year’s lead-generating article. Even though none of last year’s predictions actually came true, how about we make some new predictions about what is going to happen in 2022. We can then show how our suite of products or services can help stave off the impact of our ominous predictions. In fact, let’s just look at each product and then make up a prediction that means someone will need to buy this product? We’ll anchor the predictions on some high-profile incidents from the last 12 months but essentially say these [insert ransomware here] attacks will continue if you don’t act soon and buy one of our products. Sorted. 30mins later the copy is written and machine-gunned predictions are fired out on all channels and the sales pipeline is deluged with fear uncertainty and doubt. Prospects are now primed ready for when the sales guys follow up on the people that clicked on specific products links – BOOM! This is a well-oiled sales machine in action, nothing wrong with that. But ultimately the predictions are just wild guesses, no more steeped in fact than your weekly horoscope – turns out this week I shouldn’t give up on love!
Three things to do in the first three months
Firstly, let’s clear one thing up. I would never give up love. However, instead of predicting that unless you buy some amazing cyber security consultancy or purchase our Outsourced DPO Service your business will close and you will personally face the end of days. Rather than peddling doom and gloom, we at Fox Red Risk think it’s better to help business leaders by making some simple recommendations. Recommendations that will definitely help improve your organisation’s security posture. So, with that in mind, here are three things we recommend you tick off each month in the first quarter of 2022.
Month One: Review those Pesky Policies!
Are all your policies up-to-date? If not, get on and review them. Don’t just check that the dates in the version control are within the last 12 months (but do check that as it seems to trip so many people up). Check the content. Does it still make sense? Are you making references to roles and/or departments that no longer exist? Are there new regulatory requirements coming into force soon – Like this one on operational resilience from the FCA which comes into force end of March 2022? Are there new threats that need to be mitigated? Now is the time to go through your policies and check they are still fit for purpose. Once reviewed you must communicate the updated versions to all your employees, contractors and [where applicable] third parties – in particular, the acceptable use policy. The updates should be clearly marked showing what changes have been made. Remember, if no one knows the policy exists, how on earth can they be expected to comply with its contents.
Month Two: Clean up your patch game!
Many organisations limit their patching to operating systems only. This just will not do in today’s threat landscape. Your network devices, database servers, third party applications and libraries are the way hackers will breach your defences. These all need security patching. You’re paying for these patches so make the most of it. Apply patches on everything that can be patched. Update firmware on your Firewalls, Routers and VPNs. Update those third-party libraries that make your website look pretty. Finally, remove software that isn’t needed. Remember that Excel Add-In that was used once by finance and didn’t work as expected – get rid! Remember that piece of shareware marketing downloaded to convert a video file – get rid of that too! Fewer applications equals less exposure to exploitation!
Month Three – Smash a Resilience Test out the Park!
I’m hoping that, as it is 2022, you have a Business Continuity Plan. I’m hoping that it follows the all-hazards approach. But, have you really tested it. What I mean by really testing is validating when something will break. In other words, how much pressure needs to be put on the system before it shuts down? What real testing is not is sitting in a meeting room, going line by line through the plan, with a delicious selection of sandwiches and cakes. This sort of exercise just gives organisations and their leadership a false sense of security. It is planning out a test scenario and then turning off production systems. Seems too scary the idea of turning off production systems. It will be a lot scarier when a hacker turns them off without your permission and you have no idea what it will take to get them back up and running! Bite the bullet, apply some chaos engineering and for 2022 do a real test.
You don’t need Mystic Meg!
Well there you have it, three things business leaders can put into action right now. Communicate out your updated policies. Patch your application and network devices. Robustly test your business continuity & disaster recovery plans. For the last of the recommendations, start the planning process now ready for testing in March! As an aside, my horoscope this week also said “Some crucial information can be shared and you will sense the inner strength you need gearing up for a big push forward.” Maybe predictions are not so based in fantasy after all…and if you need help with the above, get in contact!
About The Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing control frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
22301 22301:2019 article 28 awareness bcms BIA business continuity calculating risk change management ciso controller cybersecurity data breach data privacy Data Protection data protection by design data protection officer data protection service Data Subject Access Request DPO DSAR GDPR incident management information security leadership monitoring operational resilience Outsourced DPO Privacy processor risk risk appetite risk management ROI security security as a service small business strategic strategy Subject Access Request tools training transparency vciso virtual ciso