Is Cyber Security just about Technology?
I recently had the pleasure of co-presenting at a cyber security and business conference in Melbourne. The talk was all about encouraging big business security campaigns to go beyond staff awareness and on to changing behaviours in a way that makes companies more secure. Many of the points we made would be hard for smaller businesses to implement, as they depend a lot on having a Learning and Development or Culture team in the business focused on driving these changes. Most of the background information we gave, however, is definitely relevant to businesses of all sizes.
It was this background information that started the most conversations with attendees throughout the rest of the day as I met with people who had been in the audience, and so it seems it might be helpful to share it more broadly.
Cyber security is NOT a technology issue, it's a business issue
It sounds like a cliche, but in my opinion this is absolutely the number one most misunderstood thing about cyber security today. So many of the business owners we speak to at Cynch have started the discussion with the belief that it's all about what technology their business uses. This leads to blindspots around how other aspects of their business and the market they operate in affects their risk.
If people are your business' biggest asset, they're also your biggest weakness
In its 2016 Data Breach Investigations Report, Verizon Enterprise noted that 63% of confirmed data breaches involved weak, stolen or default passwords. Then in their 2017 version of the same report they found this same vulnerability to be involved in 81% of hacking-related breaches. By not managing passwords well, businesses are figuratively locking the front door of their business whilst leaving the window wide open to cyber criminals. Managing passwords is not just a tech issue, but human one, and one that every staff member must understand so that they can close the window on crime.
These types of insights are what drive us at Cynch and why we created our Small Business Password Management Security Pathway.
It's a mobile world out there
Do you use or allow your staff to use their own smart phone or other mobile device for work instead of a company-owned one? If the answer is yes, think about how much control you have over what happens on that device, and whether or not you have any ability to take action like force software updates, disconnect it from your network or even just see what's going on. Bring-your-own-device (BYOD) is creating gaps in what we can control as a business. While it’s easy to focus on the convenience of carrying one phone for everything, remember, if your business can’t monitor, control, or make decisions regarding a device, then incidents resulting from it are not technology issues. The best your can hope for is that technology professionals will be there to help when the proverbial hits the fan.
The regulators are COMING!
Lastly, barely a day goes by in the Australian media without an article or 10 on the changes in regulatory frameworks both here and abroad. These changes impact the obligations placed on businesses to secure the data they hold and prevent cyber security incidents. This constant stream of regulatory compliance change is increasing the workload for businesses all-over, and not just with respect to cyber security. Teams of people are required, from compliance experts to lawyers and technical specialists, to understand the impact of these changes on business environments. You cannot, and should not rely on technology solving this alone.
Criminals don't just exploit technology
As a final thought, consider that cyber criminals will go to any lengths to access the parts of your business they are not supposed to access. This means they are looking for any weakness, not just technological ones. It's important to think about how people, process and technology affect aspects of your business to find the weak points and plug them before they bring you unstuck.
- Susie Jones, Co-founder