Why do businesses not do cyber security?
Because it is not the business owners highest priority, businesses exist to make money (otherwise they do not long for very long) and everything a business spends money on that does not make money is an expense and costs that are ‘known’ as critical are where the spending will be focused.
Cyber security solutions where they are not presented in a business value way, can not gather interest from business owners, there are too many other factors involved in the day to day workings of a company.
I have heard this statement time and time again: “Business x only started spending on cyber security AFTER they were breached”, because so few are breached in any meaningful way it takes time for the word to get around, meaning that cyber security professionals need to pick up the ‘slack’ and teach our industries what they should be doing to stay safe.
The Challenge
There are a few challenges to cyber security (or other new technologies) products creating enough interest from business owners to be seriously considered for purchasing and implementation:
- A companies risk of being breached when they are doing everything right is very low, extremely low like not even a risk, I wrote about this recently.
- Cyber security professionals do not all know how to relate risk to the business in a form that the business can understand and accurately assess against risk. Risk to us as cyber security professionals does not correlate to risk that a business owner can appreciate unless we can describe it is a way that they understand.
- understanding the business assets and the likelihood of a breach (not technology assets)
- what would happen in a breach (can the business keep processing orders, making product etc)
- what would the outcome be and is it business ending (brand damage, financial ruin)
- The cyber security industry would have us believe we are all going to be breached by a malicious actor and have our data stolen. The truth is much more nuanced – the statistic that states over 60% of businesses were breached last year is correct. More than half of our businesses had one employee clicking a phishing email or someone sending out confidential information by mistake – we are only as strong as our most tired, stressed, not concentrating staff member.
- The most likely form of breach is not nefarious hacker, it is an employee clicking a phishing email and giving away their credentials. The next most likely is either an employee accidentally forwarding data out of the organisation or a malicious employee doing it for money or some other nasty purpose.
- Implement Multi Factor Authentication and this risk from a malicious actor or 3rd party supply chain breach is reduced by 99% DO THIS: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/
- Teach your staff to never open emails with offers or things that are “too good” to be true. Gamify their reporting of potential breaches – put MEMES up everywhere!
- The majority of breaches would not be resolved with a detection or response product (by far the part of cyber security making the most advertising noise), this requires Corporate data governance to mitigate, so you don’t need expensive Crowdstrike or SentinelOne as a first step, these come later as you improve your cyber resilience (or you use Microsoft tools which are equally capable but can go much further across the business).
- Agreed that Detection and response is a useful solution, after the basics are done well and not before. The management of Endpoint detection and response solutions is not for the faint hearted or time poor.
- Cyber security is a journey and the requirement along this journey is never to be the weakest link, the weakest get eaten – or the colourful that stand out (utilities, banks etc) get targeted – you will not prevent a sustained targeted attack, eventually they will find a way in. The task is to make it difficult so they give up and target someone else.
- Do look at what you are currently doing and what you have licensing for before you look at Cyber security tools, as many of them are an expensive over spend and will not help you reduce risk without significant input from your resources. For many vendors, they probably will not be around in 3 years time so an investment now may not be economic when you will need to replace.
- If you are using Microsoft tools already you may well have the leading cyber security toolset ready to go, you just need an MSP or consultant that can help you get the most from these tools.
- Cyber security statistics are Bullsh.t, there is no easy way to say this but 98.78% of the statistics you read, view, hear when related to cyber security are complete rubbish. Except when they come from a government agency with no ulterior motive. Do not get caught up in the hype that you will be breached etc etc. Handy hint for reading news and any article in todays “pay to play” culture is to know the author, what is his/her motivation.
- Build your cyber resilience program around what you have already: People, Processes and tools
- Know what is important to your business and focus on that first, second and third.
- Do not pay attention to industry stats – unless presented by government, they are published by vendors who have an interest in selling something particular to you.
- The most likely form of breach is not nefarious hacker, it is an employee clicking a phishing email and giving away their credentials. The next most likely is either an employee accidentally forwarding data out of the organisation or a malicious employee doing it for money or some other nasty purpose.
Finally, you are probably much more cyber secure than you think, you probably have email security, end point Security and some level of patch management and hopefully Multi factor authentication (hint: you must implement MFA!).
Your next step is to increase your cyber maturity at a sustainable rate along with the rest of your business, there is no magical fix and no products that will make you secure either. Artificial Intelligence and Machine Learning technologies are not at the level that you are being told they are and are most lucky to pick up a breach.
As always please reach out to us using this form if you would like to know more or you can email us here.
Leave a Reply