Closeup on personal computer, cyber security

The three pillars of cyber security

A common misconception is that technology, such as a piece of software or a sophisticated firewall, is what constitutes the cyber security capacity of an organization. However, cyber attacks come in many forms, and technology alone cannot protect you. Effective and robust cyber security requires an information security management system built on three pillars: people, processes and technology.

 

People discussing and planningPeople is the pillar which involves the highest risk as human errors and misjudgments are found to cause, or at least be a part of, the majority of successful cyber attacks.

 

A comprehensive study found that 1 in 2 employees is likely to open and read phishing emails, and 1 in 3 is likely to click the links in phishing emails (that may lead to the silent installation of malware/ransomware) or download attachments (KeepNet Labs, 2019).
Therefore, training in awareness is the key to success in building the ultimate defence against cyber-attacks.

Here is what an employee can do to help reduce successful cyberattacks:

  • Don’t click phishing links in emails
  • Don’t open attachments from an unknown source
  • Don’t download software from sites that are not sanctioned by the company
  • Don’t use USB memory sticks that are not your own
  • Do use secure passwords

These simple steps may reduce risk significantly

 

Man reviewing processes and plansProcesses is an element of the three pillars that ultimately relies on having the right technology and the proper training of people to be successful.

 

Processes may include:

  • To perform risk assessments to identify risks
  • To use management systems
  • To keep software updated by timely installing security patches
  • To use two-factor log-in


A company needs to follow a proper procedure to reduce the risk of cyber threat. Processes should define that the organization’s activities, roles and documentation are used to mitigate cyber security risks. As cyber threats keep changing, processes are required to be updated.

 

Technology seen as cables connected through an electronic deviceTechnology is crucial to managing and reducing the risk of cyber threats in an organization. Nemko, for example, must use highly sophisticated technology to protect the records and potentially sensitive data of our customers.

 

Technology is crucial. However, it is only as good as the people who use it. Therefore, it is essential to use technology that meets your need, and that is simple yet effective for staff to manage. Too cumbersome security systems are known for being short-circuited by impatient employees.

Various technologies are used for cyber security protection, such as firewalls and VPN. However, the functionality of these components and the “hardening” (changing settings to increase security, close unused ports or turn off mom-essential services) of the system are just as important.

Alignment is key

The balance in the importance of these three pillars varies between companies. For example, a high profile enterprise will have a higher risk of a targeted attack. Therefore, it should seek more advanced technical protection than a small company, which is more likely to be exposed to automated attacks.

Regardless of your company’s size, by adopting this three-pillar approach to your cyber security strategy and ensuring that the pillars are correctly aligned, you are far better prepared to meet the cyber threats of tomorrow.

 

Written by Geir Hørthe
Geir Hørthe is responsible for the Nemko cyber security initiative. He has worked at Nemko for more than 30 years, in the capacity of test services, lab manager of safety, ATEX and medical departments. Geir was also for two years, Managing Director at the Nemko office in London. After he returned to Norway, he held for many years the position as Certification Manager at Nemko HQ with responsibilities for electrical product certifications, for national and international certification.

Newsletter