Before you throw money at cyber security for your business you need to ensure you are building on solid foundations. It’s far too easy to get sucked into the “Shiny Object Syndrome”, especially if you are not holistic in your approach to security.
There are many amazing products and tools on the market, which for the unwary, inexperienced or paranoid, can look to solve all of their cyber security worries in one fell swoop. But this is never the case, so let me help you save money and improve security at the same time…
While many small business owners are probably aware of the wider issues around cyber security and the need to safeguard their business, many think they are too small, not important enough or have nothing of value to cyber criminals.
Unfortunately, the truth is very different. Everyone, whether in business or not, is a target for cybercrime. If you have an identity, a credit history, bank accounts, friends and contacts, customers or suppliers, intellectual property or pretty much anything that can be accessed digitally, then you are a target.
And that is before you take into consideration any industry, nation or supply chain specific areas you work in.
It is a sad truth that small businesses within the supply chain, feeding into larger enterprises, are used by cyber criminals as a route to attack the larger organisations. This is because of the attitude mentioned above, but also that small businesses don’t typically invest as much time, effort and resources into cybersecurity. This in turn makes them prime targets for crooks looking to attack bigger businesses and organisations.
When it comes to cyber security, you can’t protect what you can’t quantify.
Before you can implement relevant technical, procedural, personnel and physical security controls, you need to identify and value the assets – information, data, systems and processes – that make up your business.
Identifying your assets means understanding what you have, defining its boundaries such as where it is stored and processed, whether it is shared with others or has restricted access, what it is used for and who has access. You then need to assess the value and importance of each asset in terms of Confidentiality, Integrity and Availability to your business.
This will then allow you to quantify which assets are most valuable to your organisation, and assess the risks…
Once you have identified and valued your information assets, and before you start spending time and money on security controls, you need to see where your highest risk areas are.
If your highest value asset is a note pad that you keep safely placed in a locked cabinet that only you use, you might not need to spend too much effort on additional security.
However, if your next highest value asset is lots of sensitive personal information stored in an internet based public cloud service, you might want to look at what you can do to protect it better.
This is why you need to assess the risks against each asset individually and ascertain, based on the highest risks, where you need to focus your efforts on improving your security.
Unless your security is completely lacking, you should look to implement suitable, proportionate and practical security controls based on the risk levels of the various systems and assets you have.
Start with the high-risk areas. Look at the options for improving security, get good advice if you’re not an expert, but make sure you consider the 4 key areas when it comes to security:
- Physical Security – Are you protecting the assets from environmental factors such as theft, fire, flood etc?
- Personnel Security – Do your team understand how to protect your assets, are they properly trained in understanding the threats, particularly cyber, and do they follow correct processes?
- Procedural Security – Have you implemented suitable policies, processes and procedures to protect your information assets?
- Technical Security – This is where most people focus and where “Shiny Object Syndrome” can be a problem – are you implementing the RIGHT technical security measures based on the risk and your budget?
A holistic approach to security takes into account all of these areas and ensures you are implementing security controls that protect you from a range of potential threats and scenarios.
Further Help & Advice
Implementing a set of security controls isn’t the end of the process. Further activities should include testing and reviewing your security, and embedding security processes in the heart of your business and operations.
Having said that, the steps above will get you started, and will provide you with a higher level of security than the majority of small and medium enterprises.
If you need any help or advice, either implementing the steps above, or moving beyond just implementing security controls, please feel free to contact me and we can schedule a free, 15-minute consultation, no commitment necessary.