Security – What, Why and Some Hard Truths

What, why and some hard truths

How is your tech security?

Security, cyber-security, technology safeguards, data protection – call it what you will; these are all essentially parts of the same topic, albeit with a slightly different focus in each case.

When we talk about security of any name we mean the mechanisms and processes that need to be in place to safeguard your digital assets from damage, loss, corruption, unavailability, breach, hacking, compromise and dozens of other unexpected events.

When we talk about digital/technology assets, this includes hardware, software, networks, infrastructure, cloud platforms, systems, applications, data, information and anything else that makes up the spider-web of information technology.

You know – all that techie stuff.

By now you’ll have figured that there are many ways of describing many situations that can have impact on one, or some, or all of the things that make up your information technology solution.

Did we miss anything?

Probably. Depends how much technology you use.

Why should security concern me?

Security breaches only happen to the big companies, right?

Whether you are a sole-operator, partnership, mid-size company or corporate, you should be aware that some part of your technology is potentially open to attack.

And if your system is being attacked you can assume everything your system is connected to is also in the firing line. Which means everybody using your system will suffer some form of impact from the attack.

If not this attack, then the next one, or the next one…

For some organisations – especially those unfortunate enough to be considered ‘fair game’ by the bad guys – the attempts to exploit vulnerabilities are almost continuous. Or should that be ‘continual’? Either way, some companies have to deal with a huge volume of attack pretty much all of the time.

For many, being hit by virus or malware is nothing more than a nuisance, which may waste a little time while the infection is neutralised and systems are recovered. However, more sophisticated attacks are designed to cause serious damage and may take significant effort to counteract. We all now know that ransomware attacks are deliberately designed to cripple a company and come with an attempt to extort money from the victims. Recovering from this type of attack can consume enormous time and resources if you’re not prepared to deal with, which equates to bottom-line pressure for a company.

Who is responsible for security?

The technology team in your business, or your outsourced partners, are important contributors to the creation and maintenance of your overall security framework. But a techie team is not enough. Your entire organisation is responsible for making sure the security framework is effective. Not just the developers, infrastructure engineers, web designers and security specialists; but everyone!

Automated defences will do an admirable job of protecting your systems most of the time, but people are often the key difference between keeping the nasties at arms length or allowing them into your systems.

At some point, despite robust defences and continual training and education, a vulnerability will be introduced by someone, data will be exposed by someone not following correct process, accidental damage to a system will be caused by someone not understanding the implications of their actions.

People are part of the problem and the solution to technology security.

So, don’t assume something or somebody else is looking after your security. We all have a part to play in the ongoing effort.

Some hard truths about security.

The best security in the world will not provide 100% effective defence against all attacks all of the time. Even if you’ve invested lots of time, money and effort building your technology solution and trying to make it secure.

Yes, that’s right – sooner or later some part of your system will be compromised. Maybe with very little impact, if you’re lucky; maybe with catastrophic impact, if you’re unlucky. Or unprepared.

A cyber-attack that breaches your security can compromise a small part of your technology, or all of your technology. Sometimes, the breach will start small then escalate to all parts of your technology.

Even a minor cyber-attack has the potential to take systems out of action, which can be especially problematic for small businesses. How long do you think a sole operator has to survive without that important data or application running on a compromised laptop?

A day? A week? A month?

And what sort of impact would leakage of sensitive customer data have on your reputation?

Or your compliance with legislation?

Or your ability to trade?

Attacks are not always carried out by third parties, outside of your organisation. Sometimes (more often that we would like) the breach is caused by your actions, or your employees, or your business partners.

In some cases, breaches are accidental – caused by mistake or simple carelessness. In some cases, breaches are deliberate – caused by people with malicious intent.

All is not lost…

It’s not all doom and gloom when it comes to cyber-security. There are simple measures that can be taken to protect your technology assets, whether you are part of a small business or corporate organisation. When taken as a whole, these measures form what is known as an Information Security Management System.

An effective security framework such as an ISMS can adapt to evolving threats to keep one step ahead of the cycle of cyber-incidents such as virus, malware and system breach.