Cyber Security – Don’t listen to the sales hype

I was walking through Sydney domestic airport returning from a very uneventful and wasted couple of hours at Google, and came across two billboards in the terminal.  Huge billboards about 5 metres by 2 metres boasting that if you use this product, your whole organisation will be safe from the internet nasties.  To most people this would make sense; to a someone with a cyber-security background like me, it is “red flag to a bull” type stuff.  I’m not saying their claim is completely incorrect, but it is pretty close.  It is false and misleading, because if you deployed this product and didn’t do anything else, then your organisation would have major problems.

So what is wrong with these adverts?  A single device is not protection from the internet.  There are so many variables affecting whether your data is safe—how your information is stored, who is using your organisation’s network, who has access to the data, what policies are in place —and all of them need to be taken into account.  There is no single thing that can be done by an organisation that will totally protect its information and data.

To have a secure business environment you have to do three things: know what you are protecting, know how you are going to protect it, and finally, know how much money you are going to throw at the solution.  For most small and medium businesses and not for profit organisations, all three questions are very hard to answer.  Most SME’s have the following two attitudes.

                * We don’t have anything of importance to steal

                * It won’t happen to us.

Both are misleading and totally wrong.  Every organisation and business has something that the criminals want—from money, to high-end intellectual property, to a back door into a parent business.  There are a myriad of reasons why you could be a target.  The broad understanding that cyber criminals are opportunistic is correct.  They use every opportunity to target you!

A vast number of businesses base their cyber security and cyber crime solutions on the sales hype that technology companies put out.  In most cases, these systems do an adequate job, but only where they have been designed and installed to fit with your business’s overall protection scheme.

Cyber Security is a Holistic Process.   The management of the complete system allows for a better protected environment.   A better protected business is achieved with policies and procedures, Business continuity and disaster recovery plans, auditing, reporting and of course technology.

Businesses often forget (or don’t know in the first place) that they have to use this holistic process to protect themselves.  Rather than buying a product, you have to use a basic framework of protective measures, and adapt it to your specific needs.  Without a simple framework and a basic understanding of cyber crime, all organisations that use electronic data are not only targets—they are extremely vulnerable ones.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.