After spending a while working for and with startups, small & medium enterprises, I’ve noticed some trends. For each company I’ve been associated with, I’ve noticed one of the following problems with regards to cyber security:
They don’t know what they don’t know
They know, but they can’t afford the fix
They do things, but they are not consistent, documented or tested
They realise how far behind they are, only when a potential client asks about their security program
They don’t care about doing the right things
Now, unusually, I will quickly address that last point first. I only experienced this scenario once. I think most companies and people care about doing the right things. But it has to come from the top and flow down, and the people need to be educated on what those right things are.
Anyway, where am I going with all of this?
The vast majority of security companies, vendors, people etc. follow a solution based approach. I want to talk a bit about the problems, and give a few thoughts on why they may exist.
They don’t know what they don’t know This one is critical. I believe the vast majority of companies who suffer a data breach belong in this category. They weren’t sure what was possible and therefore weren’t able to prepare for it. They didn’t understand their cyber risk posture, and didn’t reduce the likelihood or impact of such losses. My experience of this problem comes from a different angle. Often companies approach me wanting something, for example a security policy, but don’t see what they really need. This is fine and part of the process, I don’t expect a CEO, CTO or CFO to know the ins and outs of cyber security and how it impacts their organisation’s goals. I am here to educate first and foremost. I want to educate companies on what could go wrong, how likely it is, and how to build a security program that is proportional to their business and growth. It is a challenge to do this without fearmongering, the truths about what can happen if you don’t have a thought out cyber security plan are hard but the reality is you only need to practice a few basics to vastly reduce your chances of a costly security event. A security plan should reflect those basics and once in place, will reduce the likelihood and impact of losses. It will demonstrate a return on security investment (ROSI), whether it be time, money or talent. My advice to organisations who find themselves here, and believe they are part of the ‘we don’t know what we don’t know’ group: educate yourselves. The governments National Cyber Security Centre (NCSC) have a lot of resources on cyber security guidance for organisations of all shapes and sizes. What’s more, they are written in a language that non-technical people can understand. You can find out what guidance they have here.
They know, but they can’t afford the fix Some organisations know the risks. They know a breach could cost them a hefty chunk of their annual revenues. They also know that cyber security can be expensive. Want a Chief Information Security Officer (CISO) on your board? That will be £100k, please sir. In fact, I recently spoke about some options. It is true that cybersecurity can be expensive. It is currently one of the best paid professions out there. Why? In short, there is a lot of demand and not much supply. Couple that with the hefty technical knowledge and business savviness one needs, you got yourself a rare find. What I would like to make clear here, if you take nothing else away from this post – cyber security is not about technology. Therefore, it needs not be expensive. Technology is just one part of the puzzle and when I consult businesses I rarely, if ever, recommend that technology be purchased. The truth is, there are a bunch of basic things one can do to become relatively secure, and they cost time not money. The vast majority of breaches stem from human error. Think about when your marketing person sends an email to the wrong person, a developer opens an online database to the internet instead of making it public, your PA (who has access to the world + its dog) sets the same password for their work email as they use to order a takeaway when they get home. If human errors are the basis for most security breaches, what can we do? We can train people on the risks. Security training can be found online for free, or you can hire someone like me to have a chat with your team every few months; answer their questions, tell them about the current trends. One good consequence of the pandemic, many great professional services are now accessible remotely. You can hire a security consultant on a five day retainer per month. One of my clients contract two days per month for proactive and reactive security projects. Another client pays for one hour per month so we can have a progress catch up and I can direct their cybersecurity journey. Cybersecurity doesn’t have to cost much money, if any at all. If you’re a nonprofit with little or no budget for cybersecurity, I’m offering complimentary security consultancy.
They do things, but they are not consistent, documented or tested Many organisations have some good security practices in place. They use Anti-virus, they backup their data. Some companies under 100 people even have a full-time security person – great! If you’re doing something – the odds are you’re probably sleeping better at night. Providing you’re doing the right things in the right way at the right time, you’re probably reducing the likelihood of a breach. Even better if you did some research or asked security professional. The only worry with this approach is when an organisation are doing things that do not make sense or are not well informed: + Do carry out some research on resources like the government’s 10 Steps To Cyber Security, or pursue the Cyber-Essentials certification. – Don’t just do things because a security vendor sold something to you + Do get in touch with a security professional and ask their thoughts or even have a cyber risk-assessment performed. – Don’t think performing a penetration test once a year is sufficient – it only covers the technical vulnerabilities of a website, and doesn’t consider the rest of the organisation
They realise how far behind they are, only when a potential client asks about their security program I’ve recently been involved with a few companies who only consider their own security when a potential client asks them. I.e. they didn’t know or didn’t fix it until they were prompted. This is fine and normal, but don’t expect to become 100% compliant with a potential client’s security requirements any time soon. There are good and bad ways to handle such a situation, I wrote about how to master the security questionnaire process here, if this is your current predicament.
This isn’t an exhaustive list of problems. Hopefully, it has helped organisations understand what cyber security problems may exist and what options there are for better aligning resources to those problems.