With over 15,557 reported data breaches in globally, it’s safe to say that cyber security should be a top priority for all organisations. 

Most organisations are already well-aware of this threat and are pouring money into their security budgets. Gartner estimates that worldwide cyber defence spending could hit $114 billion (about €102 billion).But before opening up your chequebook, you need to make sure that any investments address the full range of vulnerabilities in your organisation. 

Too many people believe that cyber security is just about technology. However, you also need to ensure that you have the correct processes in place to get the most of those technologies and train staff to avoid costly mistakes.

It’s only when you invest appropriately in each of these three domains that you can be confident in your organisation’s cyber security posture. 

So, what do those domains involve? 

People 

The ‘people’ aspect of cyber security refers to staff training. The level of training you provide will depend on whether the employee has a technical or non-technical role. 

Non-technical staff don’t need advanced cyber security knowledge, but they do need a strong understanding of the fundamentals. A security awareness programme, or training courses that address specific issues like phishing, are essential. 

Technical staff will already have a strong understanding of core security principles, but they should still be part of your general staff training activities alongside further training to help them stay up to date with the evolving threat landscape and security best practices. 

Given the ever-widening cyber security skills gap, it might also be worth encouraging employees to gain advanced qualifications that will help them move into more senior roles.

Processes

Staff training goes hand-in-hand with organisational processes. These are written instructions on the dos and don’ts of various practices. 

ISO 27001, the international standard for information security, provides a complete set of cyber security processes based on the implementation of an information security management system.

Technology

We’ve placed technology last to emphasise the fact that it should support people and processes rather than being relied upon. 

Technological defences can automate processes that would otherwise take a human a long time to complete, such as identifying threats in your systems. Other technologies act as a first line of defence that weed out threats so that a human doesn’t have to, like spam filters. 

But whatever the technology is doing, you can’t assume that it will be 100% effective. For example, email scanning software will send the majority of suspicious emails to employees’ junk folders, but that still leaves a lot of emails that end up in inboxes. 

That’s why you need to train employees to spot suspicious emails and give them processes to follow.