Cyber-security is fast becoming the primary technology concern of businesses both large and small.
How do you know when secure is secure enough? Where do you even begin?
Here’s a primer on the difference between Cyber-security and IT Management and where to begin when you want to protect your business.
You may think that your in-house IT department or your hired IT Services company has got you covered when it comes to Cyber-security. While they do overlap, Cyber-security is rapidly becoming a specialty with a separate set of roles, processes and goals than IT Management. IT Management, for example, is focused on giving people access to the tools they need to get their work done. Cyber-security on the other hand is more concerned with putting up walls and obstacles to prevent unwanted access to your business tools. IT Management tries to improve productivity to make business more efficient, while Cyber-security is concerned with creating and following policies that can often impede the productivity of a nimble and improvised business process.
So how do we all just get along?
A great place to start is the places where IT Management and Cyber-security overlap. Every business should have a few basic tools in place to have a good security footing, and the nature of your business will determine where you will land on the spectrum. The core question is this: How many security obstacles your business can tolerate compared to the risk of breach and the impact of lost productivity?
A few basic security controls we have grown to live with are things like a professional grade firewall, antivirus and passwords. While not inconvenient by today’s standards, I’m sure you’ve been lectured about using complex passwords, not re-using passwords and changing them a few times a year. While inconvenient, we now consider this a fact of life. The new inconvenience is Multi-Factor Authentication. This is also sometimes called 2-Factor or a One Time Pass. This is based on the principle that authorizing access depends on not just a password (something you know) but also second thing (something you have) like a code texted to your mobile phone, sent to an app or even a plug-in USB device.
The pushback we have experienced in rolling this out is that people find it annoying and inconvenient. “What if I don’t have my phone with me? How often will I get this prompt for the code? I don’t want to give my personal cell phone to a work application.” These are some of the common complaints we hear, and yet we move ahead with adopting this new technology because the risk of an email or application breach is becoming greater than the annoyance of living with Multi-Factor Authentication. We recommend implementing Multi-Factor not just on email, but on any application you can.
Password lockouts are another easy win for Cyber-security. We do receive a lot of support requests everyday for folks who have been locked out of their systems. That is minimally annoying, but a no-brainer compared to the risk of a hacker having the opportunity to try not just hundreds or thousands, but millions of passwords in order to gain access to one of your critical systems.
You may be thinking, “We have multi-factor, I think we have password lockouts, now are we secure?” This brings me to the primary tool of the Cyber-security professional: the Risk Assessment. A formal risk assessment is the only way to say with any certainty where you are in your security posture, where the holes are and where you are going to go next to improve your company’s security. The important thing to remember is that Cyber-security is a journey, not a destination.
Want to learn more about the state of your business’s Cyber-security? Contact me to learn more.