It’s simply a fact that many owners, managers, directors etc, believe that cyber security is a technology issue and is best left to those guys in IT who understand that stuff.  Here at H2 we spend a lot of time and effort trying to educate C level people, that it really is a business issue, although it has significant input from the techies.  It’s a business issue because breaches can have a significant financial and reputational impact.  It’s also an IT issue because it involves implementing technical measures to protect systems and data.  Effective cyber security requires a collaboration between business leaders and IT professionals to address both the strategic and technical aspects of security.

The crux of the issue though, is that it must be led by the business, and at board level.  It requires a strategy to be followed, which is laid down at board level and which is focused on the goals and aspirations of the business, especially when your IT is outsourced.  You can outsource your IT, but you can’t outsource your responsibility.

A valid argument is that the proliferation of security tools creates an illusion of safety.  Organisations, large and small, often believe that by deploying a firewall, antivirus software and maybe some other tools, such as intrusion detection systems, they are adequately protected.  This ignores the fact that such tools are controls put in place to mitigate risks identified and qualified in terms of importance, in a risk assessment and unless the benefits they bring are properly identified, and the solutions placed and configured correctly, they may well not be doing what you think they are doing.  This thinking can also introduce significant third-party risks into your domain.  The most recent example of this is the CrowdStrike issue which caused so much chaos throughout the globe.

To be fair to most companies in the smaller and mid-market arenas, their focus is on obtaining IT solutions as cost effectively as possible, and with the minimum of support costs.  Cost control is vital to most.  This means that they are extremely reluctant to spend money on what they see as not being part of their core business.  Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.  Unless they have a well thought out risk managed strategy, they are wide open to slick sales pitches which push products.  The rub is that in order to have that well thought out strategy, it means spending on what they see as expensive services that can seem somewhat nebulous, not something they can see and feel, and there is that vague feeling that they are being led to do something that really isn’t all that important.

The approach most take is to trust their IT provider to give them the protections they need.  Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model.  What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because of cost constraints, is targeted where it’s needed and will be most effective.  In other words, the technological approach taken by most IT support company’s will do half a job at best.

In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy and protections are fit for purpose?  Risk management is all about helping us to create plans for our future in a deliberate and responsible way. This requires us to explore what could go wrong in an organisation, on a day-to-day basis.

A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:

‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’. 

How do we approach this then?  First and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?  Taking risks is a part of business.  You assess risk every day when doing business.  Do you want to do this deal?  What happens if it goes not as expected?  Do I want to take this person on?  Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.  Failure to do that will almost certainly be damaging to your business, perhaps fatally so. 

The difference between assessing day to day business risk and assessing risk to cyber assets, is one of understanding.  What is a cyber asset?  In this context insert the word ‘information’ instead of cyber.  It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.  You understand your business risk, after all it is your business, but do you understand information risk?  Do you have a clear idea of what information assets you have and where they are?  Before you answer that think it through.  Do you really know where all the data is?  OK, you know that you have a server or servers probably in a cloud somewhere (cloud storage and access is a whole other subject) and that somewhere in those servers there is a bunch of data which runs your business.  How much of that data has been saved onto staff workstations when they needed it to carry out some work?  How much has been copied off somewhere else for what was probably a very good reason at one point?  How well is your firewall functioning?  Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.  And we haven’t even thought about changes in working patterns.  How many of your staff now work remotely some or all of the time.  I could go on.

How can we be sure where all this information is and how important each bit is to the business?  How can we assess this risk to the business, if information is lost or otherwise compromised?  What about ransomware, phishing scams etc?  The good news is that some of this can now be automated and managed for you at an affordable price and you can even arrange a 14 day totally free trial to assess its effectiveness.