What is appropriate security?

Cybersecurity can feel like a blackhole of investment. There’s no end of technologies and vendors selling all kinds of solutions to the real, and perceived, risks.

And we are constantly told that we need to have an ‘appropriate’ level of security.

But what is appropriate? And when is enough good enough?

The answer is: It depends.

It depends on many things, including:

  1. What type of technology you use, and how it’s all currently configured, managed and secured
  2. What type of data you have access to
  3. How much money is flowing into, out of, and around your organisation
  4. How dependent your business is on technology
  5. What your peers are doing
  6. What your clients expect or assume
  7. What your regulators expect or require
  8. What your board members’ attitude to risk is
  9. What your financial and organisational capabilities and constraints are
  10. What your business strategy is for the next 5 to 10 years

Before I can say what ‘appropriate’ looks like for your organisation, we would need to work through this list.

What is inappropriate security?

But even without speaking to you, I know what inappropriate looks like.

Inappropriate includes one or more of the following:

  1. Your systems (e.g. email; CRM system) can be accessed from the internet with just a username and password.
  2. Your important files or systems are not backed up, or the backups have not been tested in the last few months.
  3. It only requires one staff member to make a payment or set up a new payee on your company’s bank account. There is no oversight or second-person review.
  4. You assume that all staff know what a dodgy email looks like and know what to do when they get one, but you have no evidence to confirm this assumption.
  5. You assume that the software on every laptop is being kept up to date and that the anti-virus software on the laptop is protecting it from attack, but you have no evidence to confirm this assumption.
  6. You assume that your IT MSP is responsible for cybersecurity, and there’s nothing that you need to do, but you have no evidence to confirm this assumption.

What to do?

If you see any of these in your organisation, you need to two things:

  1. Accept that you do not have a basic level of security and you are an easy target. Stop fooling yourself.*
  2. Truly accept that you are exposing yourself to significant financial, reputational and operational risks (or) do something about it.

If you accept the risk, that’s your call. At least you have made an informed decision.

Alternatively, if you want to do something about it, start with my basics. Or give me a call so we can get the basics in place.

The basics may not be sufficient.

But without the basics, your business strategy is called ‘fingers crossed’.


* Sorry for the tough love.