Focus on technical solutions alone is equivalent to leaving home without your trousers. Governance is equally important.
Ninety percent of smokers will die or become ill because of their habit. They all know this. Yet most convince themselves that they will be in the 10% that dodges the bullet. When it comes to information-security and its not so little brother, cyber-security, the question increasingly is not whether a company will be attacked but when. Those who ignore this simple fact are probably crazy, stupid or incompetent. There is no patch for any of these. Adopting the ostrich approach will only prevent you seeing it coming – and present the hacker with an amusing view on the approach.
The kernel of any good cyber defence is a simple, well crafted governance regime. Identify the threat, quantify the risk and array defences accordingly. The magic ingredient is always proactive engagement on the part of management. Below this, cyber-security must be an, “everyone all of the time”, situation. Drop your guard and a hacker will spot and exploit the vulnerability in a moment.
Governance – rules, processes and procedures – must be clear, concise, written in plain language, effectively promulgated and effectively applied. NO exceptions. Training and education must take place. This all might seem a drag and expensive, but neither of those consequences are worse than the company going to the wall because you didn’t do the simple things. Even the smallest enterprise needs to ensure that their people know what they need to know and do what they need to do.
Unsporting hackers spoof email addresses/links very effectively. If you are busy, tired, or both, it is a simple and easy mistake to open one of these. Some estimate that as many as 95% of all hacks begin with a successful phishing attack. Well maintained cyber-security tools and a structured update and patching programme are vital. But this will only assist as part of a concatenated plan that has, at its heart, good governance. That plan is what will save you from a heap of misery on the day that the hackers visit.
Management must be clear about what they will do in the event of a cyber breach – and they will need to have practised it. A potential problem will swiftly turn into a full-blown crisis if the response is inadequate – ask BP or Sony. No plan? You have an 80% chance that you will soon be just a statistic. The days of blissful ignorance are rapidly receding.
Andrew Taylor
CEO of Bronzeye IBRM
BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.