A popular saying in life, but also very true when considering cyber and information security for a business.
The main issue in this instance is where to start planning, and what in truth is the worst?
To start the planning phase you need to understand what the worst could be for the business, here we are talking in terms of cyber and information security. As this could be a wide-ranging question, it can be split into numerous categories dependant on your business. These may include things such as internally hosted infrastructure and applications, critical cloud services, third-party suppliers, customer data, company data, physical assets, and staff. The items of concern should be tailored to your business unless you are looking to follow a best practice framework and address security across all areas.
What is key is understanding your assets, the risks to them and the impact these can have on your business when something goes wrong. If only there was an exercise you could perform which would assist with this, and that could be updated as the business grows.
I would advise all businesses to perform a Risk Assessment (RA) and get a Risk Register (RR) together. This is the best way to understand what risks your business faces, and how to resolve them. This then leads on to where to allocate budgets for the best results. Performing an RA usually offers great ROI; when performed by competent professional, additional benefits and streamlining of resources usually more than covers the entire cost of the exercise.
Once done, it is now possible to understand what the worst security impacts are, and their likelihood. Is it a ransomware attack locking all systems disrupting business (very common at the moment but fairly easier to plan for), or is it a key third party supplier being breached and losing access to critical company/customer data or services (not as common but could have a huge impact and is harder to plan for)? Again, this is where having the assistance of an expert professional is vital, to derive the greatest ROI and cover all risks. Using their industry knowledge and experience they can put into perspective the likelihood of the risks and how to effectively mitigate these.
Until you have performed an RA and have a RR, in my opinion, you can never truly plan for the worst, as you don’t know what it realistically could be.
To discuss performing a Risk Assessment or how to start planning, get in touch.