Business Security – Don’t do it yourself!

When it comes to business security, most people think that it is a no brainer!

Delegate to the IT department and it is done.

If you want to be a target, maybe get your 2 minutes of fame on the nightly news and want a cyber event to impact your reputation, finances, operations, and legal capability then, by all means, ask the IT department.
Business security is all about the business.   Yes technology and the IT department are a component but they are not the most important component of the requirements to secure the organisation

Business security starts at the top.   Board Members, managers, and owners are required to look at the business and work out where an attack could come from, calculate the destructive effects, mitigate those effects and then implement protective strategies to cover those attacks.

This is very hard to do when your expertise is based on your core business.   Your core business could be anything – legal, finance, manufacturing or even charity based.   You are good at what you do, that means that you are not the best at understanding the problems associated with business security.

This is when you need the Board, management, and owners to look outside their organisations, to people and organisations that focus on business security.   Business security is their core business!

From a management perspective, business security is all about risk.   Risk assessment, risk management and then risk reduction.   Your organisation has to have an understanding of their risk appetite before they can implement change and reduce those risks.

Business today is wholly dependent on the digital.  We would not be able to do business without it.    Each of those digital components has a risk factor requirement.   Do you know what they are?

A business security risk assessment is the first step in Business security.

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings“.

Business Security is not just IT

The repercussions of a cyber event will create a serious problem for your oganisation long after the initial threat has been discovered and neutralised.

The bad guys are after everything that they can get their hands on that is not theirs.   They are also targeting anything and everything that has a link to the digital world.

What does not appear in the glossy brochures relating to the next shiny new product is the vulnerabilities that come pre-configured in these new systems.

I am not being nasty, but the pressures to get things to market are enormous and the first thing that is left in the background is security.

To get systems to market they will cut corners, use insecure code or even “borrow” code from other devices bringing their inherent vulnerabilities to their new product.

The wannacry and petya attacks were both perpetrated against a vulnerability that was patched recently but also has been available in most Microsoft operating systems since Windows XP.

The subsystem targeted allows one computer to communicate with another to share files.   There have been a number of vulnerabilities found that have this profile in every operating system.

But what happens if you have succumbed to a cyber event?   How do you improve your Business Security?

There are a number of areas you now have to worry about.

  • The most pressing is the immediate threat.
  • Have they encrypted your files and if so do you have a backup?
  • Has that backup been tested?
  • If you have a back up how will you restore your information and systems?
  • If you have cleaned the system are you sure you have everything?
  • What else has been stolen/accessed?
  • Never ever EVER pay the ransom!  You are dealing with criminals and they cannot be trusted.  If you pay there is no guarantee that you will get your data back
  • I recommend that you start from scratch, but that’s just me.

Short term tactics:

  • Has the event been disclosed,
  • Are you required to tell your clients, staff, customers
  • Has the disclosure had any effect on reputation, on your finances, on your customers, clients and staff. If so what will you now do?
  • I recommend that you do a number of things,
    • change passwords,
    • monitor credit card, and bank accounts.
  • Something that is very important – tell people.

Long term Strategies:

  • Not a person for stats but 60% of SME who have a cyber event will shut their doors within 3 months, a further 50% will shut after 12 months and/or they will be a shadow of what they originally were. (Victimless crime – my arse)
  • Check your Personal Reputation – use google alerts on your name, business name, trade marks.
  • Do a credit check – in some areas you can lock your credit rating, do it!
  • Get someone else to check chat rooms, information for sale and the dark web.

Using Business Security to avoid a cyber event in the first place?   Avoidance is hard, preparation is easy.

  • Have a decent and tested backup of all critical data.
  • encrypt critical data both at rest and in motion
  • use complex, long and unique passwords,
  • PATCH IT ALL,
  • penetration testing with minimal restrictions
  • Get paranoid, be aware and use common sense.
  • Implement a framework (we use NIST),

It is not all doom and gloom, but I can tell you from experience, in the midst of a cyber event, it feels like it.

The best way to counteract a cyber event is to expect to be compromised.

Hope for the best but plan for the worst! 

The best way to find out how vulnerable to a cyber event your organisation is.   Use the CareMIT Digital Diagnostic Tool or come to one of our regular quarterly “Security Board Meetings