Irrespective of size, complexity and nature all businesses are becoming increasingly reliant on their information systems and technological operations. This widespread adoption and reliance on information and data has fuelled the growth of cyber-crime especially in the commercial and industrial domains. Compounding the complexity is the pace at which technology (and its concomitant risks) evolve hence making risk management a more difficult and arduous task. Complacency or hope that an organisation would not be on the cyber-threat radar. Threats and their potential impacts are very diverse and can touch on the principal vital components of an organisation. Primary threats we consider to be of relevance to the local context are targeted DOS attacks for customers utilising online service delivery, data theft, digital fraud, viruses and malware, lax internal data policies leading to loss or unauthorized access, industrial espionage and intellectual property theft. An information security breach can rapidly transform itself into a corporate disaster putting at stake the very existence of the organisation.
Our experience and partner network in this domain frames our approach towards it. At the core of our engagements is the instilling of a culture for appreciation of information security risks and its business and legal ramifications. In order to inculcate a stronger sense of ownership to this function, rather than adopting a technical approach towards the subject we apply a risk-based framework to assess the threats and calibrate the effort required to make sure that our client derives optimal value whilst mitigating the highest degree of risk possible. We prioritise four sensitive areas: customer data, shareholder and senior management information and communications, supplier and partner information and intellectual property or trade secrets.
Pursuant to the cultural induction, we work with the client to asses systems, processes and security frameworks in place and evaluate the organisation’s posture and preparation for the eventuality of a breach. We apply an iterative dual effort to minimise the level of security threat at the baseline whilst also putting in place the necessary programme to be able to adequately respond to breaches and attacks, such as rapid response reaction plans, business continuity procedures, disaster recovery, forensic processes and crisis management plans. In performing our engagements we also assess the existing technological arrangements to ensure that our client has the right level of protection. Our vendor-independence ensures that we shall not promote any specific technology and also that we shall strive to provide our client with the optimal return on any security investment which the organisation would have already made.
We also engage with our clients in the event of a breach, to assist in handling the intense and complex situation that the organisation would be in, ensuring business continuity whilst mitigating financial, reputational and legal risk exposure. We build-in our services into the crisis management framework, deploying a multi-disciplinary team to assess the situation, developing a response plan and managing the team to deliver it, including a post-incident programme to ensure that the organisation derives value out of the incident.