What key things should organisations be doing in terms of cyber defences to ensure they are robust/resilient?
There is no shortage of companies out there making claims that there is a universal solution to security (it makes for a good marketing message), but unfortunately, in practice there is no “one-size-fits-all” solution to security.
Determining which practices, controls and countermeasures will work best in a given organisation is based on that organisation’s own needs: what works for it culturally, the level of risk that its business is subject to, and so on.
For example, the security techniques and methods that work best for a large hospital might be very different from what would work best for a “mom and pop” retailer – and more different still from a government agency or large financial institution. So, answering the question “what should organisations do?” is a bit more nuanced than it might seem on the surface.
In my opinion, there are two things every organisation should be doing: risk management and intelligence gathering. Risk management is the process of figuring out which risks the organisation needs to address, and putting measures in place to find them, track them, mitigate them, and make sure they stay mitigated going forward. Likewise, intelligence gathering, particularly of the threat environment – what the bad guys might be interested in and how they might attack – informs the risk management process directly.
