[Reading time: 3 minutes]

Whether it is spelt ‘cybersecurity’ or ‘cyber security’, I am pretty sure it’s impossible.

Why is cybersecurity impossible?

“Cyber” commonly means the internet or more specifically, a system or network that is connected to the internet.

“Security” in this context refers to measures that are in place to protect this system or network from attack.

But there is no such thing as 100% security, especially on the internet. There will be someone out there who can get around even the most sophisticated security defences.

So, why bother with cybersecurity?

You protect your home with some basic security measures (e.g. locks on the doors and windows; an alarm system). You know these will not be sufficient to stop a determined and skilled criminal. But you know they may be enough to stop an opportunistic burglar, and there are more opportunist burglars than there are determined ones.

This is about risk reduction, not risk elimination.

You can’t guarantee you won’t be a victim, but you can certainly ensure you are not a soft target.

The same goes for cybersecurity. Putting even basic measures in place will ensure you are not a soft target.

How do you know you’re a soft target?

You are at risk if:

  • You haven’t heard much lately from your IT service provider about your current cybersecurity measures, or
  • When you ask them for information, you’re told “It’s grand. We installed a firewall on the computer network a few years ago.”, or
  • No-one mentions the biggest weakness in your security – Your staff.

What to do if you are a soft target?

Find someone like me who can help you. Or if you want to do this alone:

1. Recognise that you need to do something and you need to do it fast.

Implementing small changes will be more successful than talking about big initiatives.

2. Focus on the assets and the processes of most value. For example:

  • Your email system.
  • The process that you follow to pay suppliers.
  • Any system that stores sensitive information.


3. Think about how these could be compromised. For example:

  • Could someone deceive your finance staff, causing them to transfer money to the fraudster’s bank account?
  • Could someone gain access to the system over the internet if they knew a staff member’s password?


4. Think about steps you could take to reduce this risk of compromise. For example:

  • Define a clear process that your staff and your suppliers must follow when setting up or changing their payment details.
  • Ensure logins to important systems are not possible from the internet and/or involve more than just a password – Something commonly referred to as 2FA (Two Factor Authentication).


5. Train your staff.

  • Your staff are your weakest link. It’s no different than your home – Alarm systems and locks mean nothing if the occupants will let anyone in.
  • Train your staff so they are aware of how criminals will target them.


6. Find someone who can continue to advise you on cybersecurity

  • You need someone who can independently assess what is appropriate for your organisation, proportionate to the risk and budget.
  • If this article has taught you something you didn’t already know, it is unlikely that your current IT provider is that person.

 

Update: I cover all of the above and more in my guide to the basics of cybersecurity.