Cybersecurity: A Secure Foundation

DISCLAIMER: This guide is for small businesses who need to get started. If you are a regulated financial services firm (or you sell to such firms), it isn’t sufficient. But it’s a start. 


Cybersecurity is a hot topic. There are many scary stories about hackers stealing millions and causing mayhem wherever they go.


The statistics show that most successful attacks against most businesses succeed because most businesses are missing basic security measures.

When we think about protecting our homes, we focus on defending ourselves against the most likely attack (a burglary by an opportunist criminal).

If we were to take similar, simple steps to protect our businesses, we will defend ourselves against the most common attacks most of the time.

These simple steps won’t help cybersecurity consultants and technology vendors earn a better living.

But they will help you protect your living.

This series describes in plain English how the most common attacks occur, and how to defend against them.

Eliminating cybersecurity risk is impossible

If James Bond wants to get into your home, he will get in.

If a determined cyber attacker wants to get into your organisation, they will get in.

But most criminals are not as determined as James Bond. And most cyber-attacks are not the work of determined attackers.

Most cyber-attacks are the work of opportunist criminals.

These opportunists want your money and they know there are many simple ways to get it, by fooling someone in your organisation to:

  1. Transfer money into their bank account. 
  2. Download malicious software that will block access to your organisation’s files until a ransom is paid. 
  3. Reveal a password that allows access to an email account, CRM or other valuable system that enables them to launch a more sophisticated attack. 

You may read about ‘sophisticated’ cyber-attacks.

But if you look beyond the headline, most are not sophisticated.

Payment fraud, ransomware, data disclosure, BEC (business email compromise) – These are all simple for an opportunist criminal because:

  • You do not know how these attacks can occur, and
  • You do not know how to defend yourself.

Managing cybersecurity risk is possible

There are simple steps you can take to reduce the risk of a successful cybersecurity attack against your business.

Reducing risk = Reducing likelihood [AND] reducing impact

Reducing risk is about reducing the likelihood of something happening.

However, because likelihood is impossible to eliminate completely, reducing risk is also about reducing the impact if that something does happen.

Managing cybersecurity risk = 7 P’s + 3 B’s

To reduce the likelihood of an attack, I will discuss the 7 P’s:

  1. People
  2. Phishing Email
  3. Payments
  4. Passwords
  5. Privileged Accounts
  6. Protection
  7. Patching

To reduce the impact of an attack, I will also discuss the 3 B’s:

  1. [Plan] B
  2. Backups
  3. Buddies

Start here

With your 7 P’s and 3 B’s in place, you can be confident that you have significantly reduced the risks.

After implementing the security measures that I will discuss in this series, a determined attacker could still get around your defences. But most are not determined. They want an easy way to get money and they will find an easier target.

And, of course, there are plenty of other cyber-attacks that could come your way and there are many other security measures that you should put in place.

But you need to start somewhere. And that somewhere is here.