Is Cyber Security about Tech or the Business?
H2 Cyber Risk Advisory Services
H2 use their expertise in cyber security and data solutions to support businesses - 0845 5443742
It’s simply a fact that many owners, managers, directors etc, believe that cyber security is a technology issue and is best left to those guys in IT who understand that stuff.? Here at H2 we spend a lot of time and effort trying to educate C level people, that it really is a business issue, although it has significant input from the techies.? It’s a business issue because breaches can have a significant financial and reputational impact
The crux of the issue though, is that it must be led by the business, and at board level.? It requires a strategy to be followed, which is laid down at board level and which is focused on the goals and aspirations of the business, especially when your IT is outsourced.? You can outsource your IT, but you can’t outsource your responsibility.?
A valid argument is that the proliferation of security tools creates an illusion of safety.? Organisations, large and small, often believe that by deploying a firewall, antivirus software and maybe some other tools, such as intrusion detection systems, they are adequately protected.? This ignores the fact that such tools are controls put in place to mitigate risks identified and qualified in terms of importance, in a risk assessment
To be fair to most companies in the smaller and mid-market arenas, their focus is on obtaining IT solutions as cost effectively as possible, and with the minimum of support costs.? Cost control is vital to most.? This means that they are extremely reluctant to spend money on what they see as not being part of their core business.? Of course, if they get a cyber-attack or scam, or worse a data breach attracting the attention of the ICO, then their costs trying to fix the issue can easily outstrip any costs in prevention.? Unless they have a well thought out risk managed strategy
The approach most take is to trust their IT provider to give them the protections they need.? Most of these IT providers are what is known as re-sellers, ie they sell other people’s products and will push those products because that’s their business model.? What they won’t do is take a risk managed approach which is essential in ensuring that any limited spend on security, limited because of cost constraints, is targeted where it’s needed and will be most effective.? In other words, the technological approach taken by most IT support companies will do half a job at best.?
In essence then, if you don’t understand the risks you face, how can ensure that your cyber security strategy
A quote from Bruce Schneier, Fellow at the Berkman Center for Internet & Society at Harvard Law School, goes like this:?
‘If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology’.??
How do we approach this then?? First and foremost, you need to identify the risks that you face. How can you identify that risk and then mitigate it?? Taking risks is a part of business.? You assess risk every day when doing business.? Do you want to do this deal?? What happens if it goes not as expected?? Do I want to take this person on?? Whether you formally undertake a risk assessment or whether you assess that risk informally, you are working out what is appropriate to a level that is consistent with the risk that your organisation is prepared to take.? Failure to do that will almost certainly be damaging to your business, perhaps fatally so.??
领英推荐
The difference between assessing day to day business risk and assessing risk to cyber assets, is one of understanding.? What is a cyber asset?? In this context insert the word ‘information’ instead of cyber.? It is the information contained within the IT system that is the important asset, not the piece of hardware it is sitting on.? You understand your business risk, after all it is your business, but do you understand information risk?? Do you have a clear idea of what information assets you have and where they are?? Before you answer that think it through.? Do you really know where all the data is?? OK, you know that you have a server or servers probably in a cloud somewhere (cloud storage and access is a whole other subject) and that somewhere in those servers there is a bunch of data which runs your business.? How much of that data has been saved onto staff workstations when they needed it to carry out some work?? How much has been copied off somewhere else for what was probably a very good reason at one point?? How well is your firewall functioning?? Can malware work its way onto the network because the firewall does not have Universal Threat Management installed and can therefore be probing the servers and workstations.? And we haven’t even thought about changes in working patterns.? How many of your staff now work remotely some or all of the time.? I could go on.?
How can we be sure where all this information is and how important each bit is to the business?? How can we assess this risk to the business, if information is lost or otherwise compromised?? What about ransomware, phishing scams etc?? The good news is that some of this can now be automated and managed for you at an affordable price and you can even arrange a 14 day totally free trial to assess its effectiveness.
To learn more about the services we provide please click here?https://www.hah2.co.uk/
Please feel free to give us a call or email
Alternatively, you can book a slot using our Calendly link.
T: 0800 497478
M: 07702 019060
Trust H2 – Making sure your information is secure
Spot on! Cybersecurity is definitely a business issue, not just for IT. It's all about managing risks, not just relying on tech tools. Thanks for sharing!