Sound Security Advice for Senior Executives

‘Top Twenty Topics’

There is a great deal of advice around at the moment on how to improve organisational security.  This is set against the reduction in the number of police officers by 22,000, a 10% rise in reported crime and the increased threat of terrorism after 3 recent incidents in the UK.

The Centre for the Protection of National Infrastructure (CPNI) is the government authority for protective security advice tasked with reducing the vulnerability of the national infrastructure and it has recently published a new document entitled ‘Passport to Good Security’ for Senior Executives.  This document provides a guide for senior teams as it lays out, in simple terms, which topics they should be considering as part of their crisis management plan.

Most organisations are aware that good resilience and security protects people, reputation and profitability.  Senior executives, or those with board level responsibility, need concise risk and threat information as part of their business impact analysis (BIA).  Risk management and governance activities, should be delivered by their Chief Resilience Officer or equivalent.

The top twenty headlines from the CPNI document are:

1. Good governance – who owns security and risk at board level?  Are there clear reporting lines?  Is security on the board agenda?  According to a survey conducted by PWC for the UK Government, 28% of the worst security breaches were caused partly by senior management giving insufficient priority to security.
2. Identify your most valuable assets – which are most critical to your business success, competitive advantage and continued operation.  These will include people, products, services, processes, premises and information. highlights the importance of information assets and the impact of a breach or incident.
3. Identify the threats – to your most valuable assets.  Threats are diverse and may be physical or cyber and may change over time.  Joining information-sharing groups or information exchanges is a good way of keeping up-to-date with emerging threats.
4. Adopt a risk management approach – one that integrates security into your business but does not inhibit it.  Does your approach target threats to your organisation specifically? Does it include how much risk you are willing to accept?
5. Mitigate your risks – prioritise your risks and put in place a range of personnel, cyber and physical control. Rehearse procedures.  Who owns your risk mitigation measures information? How often is it reviewed and updated?
6. Policy review, legality, ethics and transparency – should be transparent and accessible.  Take an ethical approach.  HoMER (Holistic Management of Employee Risk) – guidance to help mitigate people risk.
7. Control access – Introduce measures and monitor systems to ensure only those employed, contractors and suppliers have access to what is necessary to their role.
8. Create a strong security culture for ‘soft measures’ – lead by example.  A good security culture relies on visible endorsement from the top.  Is the level of protection proportionate to your identified threats (insider threat, terrorism, crime)?  Security culture tool help on shaping the strategic direction of your security policies.
9. Create a strong security culture for ‘hard measures’ – Establish robust procedures for dealing with poor security behaviour.  Enforce security policies visible and quickly.  Is there a formal document outlining the security culture of your organisation? Does it set out to staff their security responsibilities?
10. Protect your information – A security breach or loss of data can significantly impact on your organisation and cause serious harm across every level, from loss of capital and reputation to a loss of staff confidence and well-being Establish a cyber security policy that identifies risk across your organisation and apply appropriate controls.
11. Secure sharing information – ensure all who handle and access information are clear on their legal responsibility to protect it securely.  Sharing information inappropriately or carelessly can pose a significant risk to your organisation, leaving it vulnerable to theft, loss of data or improper use of information. Understanding how to manage information in a way that keeps it protected and secure is crucial.
12. Educate staff regarding online social behavior – train staff and promote safe behavior – raise the awareness of the risks involved.  Introduce staff education and training to promote safe and secure practices when using online social media to raise awareness of the risks involved.
13. Recruitment security Pre-screening – pre-check everyone who applies for a vacancy.  Include security checks as part of your contractor and supplier selection process.  Making appropriate pre-employment checks on all prospective staff will uncover any irregularities in information they have provided.
14. Equip your staff for safe home and mobile working – keep staff and information safe at all times wherever they are in the world.  For example, managing the risk posed by use of all types of mobile devices should be included in your risk management approach, along with appropriate mitigation measures.
15. Review exit strategy privileges for all staff – review privileges post resignation.  Remind exiting staff of their ongoing obligations of confidentiality.  A formal and thorough procedure for all staff departures will ensure appropriate actions are taken to protect the organisation, without unduly disrupting the employer-employee relationship.
16. Build it secure – ensure your buildings, physical barriers and surveillance equipment are fit for purpose.
17. Search and screening – create more secure zones onsite.  A security policy that requires staff to wear identity/security passes at all times should form part of your mitigation measures for those entering your premises. Security staff should be encouraged to challenge those who not wearing a pass.
18. Check adequacy of business continuity – regularly test you plans with desktop or live exercises
19. Review incident management plans – consider damage to critical assets, reputation, financial standing, employee morale and confidence.
20. Emerge stronger – learn from internal and external security incidents. 

The top twenty topics will give you a basic understanding of the array of subjects, which must be included in your crisis management plan. nStratagem are experts with a wealth of experience in all 20 topics.  nStratagem will support you, your board and organisation to manage risk and develop your crisis management plan.  Contact us for a confidential conversation about protecting your organization.

Gilly

I look forward to your thoughts and comments on this article.

Gilly Crichton is an Associate of nStratagem.  We have a great deal of experience in helping organizations and leaders through these issues and challenges. Contact us for a discreet discussion on your crisis preparedness and resilience strategies.

Subscribe To Our Organisational & Individual Security Feed