Skip to content Accessibility

Attention! Investment scams are spreading. See more at: Investment fraud

For the head of the company

The responsibility lies with the head of the company.

It should be mentioned that cybersecurity is not just a matter for the IT department, but also for management and executives. The clearer the business manager’s understanding of the need to implement protective measures, the better they can direct their team and resources. Members of management play a key role in ensuring the information security of an organisation and their actions and decisions have a direct impact on the organisation’s ability to protect its data and systems.

Here’s what to do!

  1. Make information security a strategic priority for your organisation and allocate financial, technical, and human resources to implement it.
  2. Follow information security laws, regulations, and standards.
  3. Map the organisation’s responsibilities, liabilities, assets, and risks.
  4. Define your organisation’s level of risk tolerance and identify those responsible for information security.
  5. Make sure to have an overview of the state of information security and possible incidents.
  6. Carry out regular security training and contribute to raising staff awareness.
  7. Create a working environment that values information security. Be a role model by following the best practices and policies on information security.

Determine the company’s security needs

Information security starts with a clear understanding of what we are protecting and why. Often, it is (small and medium-sized) companies that may not fully appreciate the importance of cybersecurity and the risks of inadequate information security.

Protection requirement is a set of security requirements that need to be met for an organisation’s business processes to operate at a high level of quality. In order to assess the protection requirement, it is worth considering different loss scenarios, such as:

  1. Which regulations and agreements set requirements or expectations for the organisation?
  2. What is the potential harm to someone’s life and health from the activities of the organisation?
  3. What are the losses if the organisation’s tasks are not completed and the quality of work is not as expected?
  4. What are the consequences of damaging the organisation’s reputation?
  5. What are the financial consequences of data and system failures?

By considering various scenarios, the organisation can identify the weakest areas that need to be prioritised for protection. It also identifies risk tolerance, or risk criteria – situations where monitoring is sufficient and those where protective measures need to be implemented immediately.

In a digitalised society, it is essential for security to be a natural part of the company, which means that security risks are treated like any other business risk. Once the company has identified its protection needs, there is a clear purpose for implementing security measures. In addition, such mapping provides guidance for situations where a contract ends, the law changes, or there is a new subcontractor, and will lead to an immediate understanding of what needs to be changed in the company’s security management.

Other topics

Know what hardware and software you are using

Assess the implications of using cloud services
Read more