If you’ve been watching the news recently, you’ll be aware that cyber security related incidents and data breaches are happening more and more frequently.
Over time, organisations, particularly larger enterprises, have come to understand the importance of IT/Information/Cyber Security, spending significant amounts of money on security “solutions”. And yet, hacks and data breaches keep happening.
This happens to all sizes and types of organisations, but those that affect larger organisations – the NHS, Equifax, Maersk, Ticketmaster, Twitter and Garmin for example, are the ones you get to hear about, because they are newsworthy.
These are big companies, with big budgets, and lots of security products. So how does this still happen?
The fact is, Cyber Security isn’t an easy nut to crack. It’s harder than it used to be. One of the key challenges for all businesses is that IT evolves quickly, threats evolve quickly, and security lags behind business and the primary focus of system needs – efficiency and enablement.
All too often, security is an afterthought, and seen as just a problem to solve. It’s looked at tactically.
“We have a problem. What product will solve that problem for us?”
There are two big issues here. One – there is no single product that will “solve” your Cyber Security “problem”. In fact, you could spend a huge amount of money on a range of different security products, which would be next to useless without the appropriate focus on supporting processes and training.
Two – the “problem”, in many cases, isn’t well defined or understood.
Smaller Organisations, Smaller Budgets but not smaller risk
As a smaller organisation, you might be thinking that this is because Cyber criminals are only targeting larger organisations, but unfortunately for you that’s not the case; in fact, you’re generally more vulnerable as a smaller organisation (we have a whole separate article all about this topic).
You might, however be forgiven for thinking something along these lines:
“Maybe we’re better to just save the money and deal with it if (more likely, when) it happens? I mean, if large companies can’t prevent these things from happening with all of their spending power and internal resources, what chance to us smaller businesses have?”
Invest wisely, don’t chase the silver bullet
We guess we could have titled this article “use your investment wisely” or something similar – but that wouldn’t have been a very catchy title now, would it? But that really is the key message that we want you take away from this article. We’re certainly not advocating that you don’t invest in Cyber Security. We do want you to use your budget wisely though.
Effective Cyber Security requires a Strategy. Putting this together should be your priority for investment. Don’t waste your money chasing some “silver bullet” technical solution that doesn’t exist, to a problem that you haven’t properly defined.
Understand, Define, Prioritise, Plan
Firstly, define the problem. This requires a solid understanding of your business, what your business relies on from a data and systems perspective, and the implications, or impacts of not having those available to you. Once you understand this, you need to look at the threats and risks that exist and the probability of any of those risks occurring, and then prioritise attention areas based on risks, and business impacts.
Secondly, look at why the risks you’ve identified exist. There might be technical reasons, but often they are associated with processes (or lack of them), or people (lack of understanding, training, or attitudes).
Once you’ve been through the processes above, you can start to make some informed decisions about how to address risk areas. You might need some different or new technical solutions, with some risks more effectively addressed through updating or implementing new processes, or by helping people in your business to be part of the solution through policies, training etc.
Build a plan. This should guide your Cyber Security strategy, and spending. Typically, this might start with the next 6-12 months (but remember that Cyber threats are ever evolving, so your strategy must do the same).
If you’ve built your plan effectively, it will most likely contain a set of actions which focus on People, Process and Technology, built around the need to protect the Confidentiality, Integrity and Availability of Data and supporting systems. Critically, it will be based on YOUR business and YOUR risks.
You might need new tools. You may need help from security specialists to help you understand, build, and execute your plan. You might need help from your IT support company or to outsource some elements. All of that is fine, and often necessary – and typically it’s not going to be free. Like anything important, some investment is likely necessary.
We just want you to invest wisely.
Need some help? We invite you to schedule a 30 minute call with one of our Cyber Security Consultants to help you understand where your key risks and opportunities are, and how we might be able to help.