By Ian Gemski, CEO at Tekgem
In the world of CNI, understanding cyber risk is only half the challenge.
The real difficulty lies in prioritising and managing that risk and this is something that has to be owned from the boardroom to the shop floor. At its core, the goal is simple: to be able to operate business as usual in the event of a cyber incident.
While it sounds straightforward in theory, putting it into practice is far from easy. A recent example makes this clear. Over the Easter weekend earlier this year, multinational retailer Marks and Spencer suffered a major cyber attack. Their online shopping services were suspended for three months, only returning in late July. Shelves in their supermarkets were empty, product availability across clothing lines was limited, and the financial impact was estimated at around £300 million. This is what happens when cyber resilience is lacking, normal operations grind to a halt.
For 20 years, Tekgem has been working with operators of essential services in the CNI space, helping them understand and manage their cybersecurity risks. This experience underpins the launch of a new version of Unity, Tekgem’s software platform, now featuring a comprehensive risk management capability designed to address the challenges of becoming truly cyber resilient.
Risk Assessment vs Risk Management
The new Unity risk management feature walks organisations through the process of identifying and classifying critical systems for essential business services. It determines cyber risks based on identified vulnerabilities and known threat actors, aligning this process with international cybersecurity standards and risk management frameworks. It also provides a live risk register and an action tracker, ensuring risks are managed throughout the lifecycle of business operations.
Unity’s dashboards play a key role here. They give executives clear visibility of total risks, scores, priorities, and the top 10 highest risks. Crucially, they also track the actions being taken to address those risks. Risks without actions are meaningless and visibility is essential for everyone from operational teams to board-level decision-makers.
A risk assessment is only one part of the bigger picture. It is a snapshot in time. The moment a new system, process, or technology is introduced, your risk profile changes. Risks are fluid, and the cyber threat landscape changes constantly. That’s why the industry is moving away from static, annual risk assessments towards continuous, dynamic risk management.
From Reactive to Proactive
For too long, cybersecurity has been focused on reacting to incidents after they occur. The shift that needs to happen is towards proactive prevention.
Vulnerability management is a prime example. Many organisations focus on patching vulnerabilities with the highest severity scores, 9.9 or 10 out of 10, without considering the actual risk. If a vulnerable system isn’t connected to the network, the risk of exploitation is minimal. By managing risk rather than just vulnerabilities, you focus resources where they matter most: on systems critical to your essential business functions.
A Practical Approach to Risk
The first step is asset classification. Review systems one by one and determine whether each is essential to continuing operations. If a document management system contains your plant’s startup and shutdown procedures, losing it could mean you can’t operate safely. That’s a critical risk.
If you run a shop and your point-of-sale system fails, can you still trade? If you can take cash, yes. If you’re cashless, the shop closes. These simple assessments clarify where to focus protection efforts.
Once assets are classified, risks can be clearly identified, prioritised, and addressed. This not only supports operational continuity but also ensures that the right investments are made to protect what matters most.
The Updated Unity Launch
The updated Unity platform, with its enhanced risk management capabilities, is being released this month to both new and existing customers. Tekgem will be hosting webinars, demos, and a full campaign to showcase and educate how Unity supports a proactive, resilient approach to cybersecurity.
For more information or to arrange a demonstration, contact Tekgem directly
