Cyber crime is on the rise; actually, it has been on the rise since Windows for Workgroups in the 1990’s. It could be because more people now have access to the cyber world, or maybe it has just become more noticeable, but either way, it’s ubiquitious. But most small and medium businesses and not for profit organisations take only a fleeting interest in the problems associated with that cyber world; they are more interested in the immediate problems that they face.
In most businesses, the application of cyber security is haphazard. It is done when there is money available, when there is an obvious reason for attack or when someone sees something happen that they have minimal control over. So they go off and buy the newest AV, but it has to be the cheapest, we have to get a new router, it just has to connect to the internet, everyone is surfing the internet or wasting time on Facebook, so let’s put in a policy—right? Wrong.
For those businesses who want to get serious about protecting their organisation, there has to be a well-thought-out first step. This haphazard approach will not work. There has to be structure and managerial oversight in protecting your business. What to do?
In our role as consultants, the first thing we need to do is a risk analysis of the business. This cannot be done alone; it is not a case of delegating the checklist to some subordinate. It has to be done by the highest available person in the business, normally the owner, CEO or manager.
The reason is: You know your business. Yes, a facilitator is very important, but they are only there to ask the right questions and record the answers. You are the only person who knows what is critical to your business, what the business can do on diminished capabilities and what systems have to be protected at all times.
A risk analysis is not just for cyber security. It will help build a business continuity, disaster recovery and business resilience process as well. Having these protocols in place will help a business survive a disaster and get back into the groove quicker.
Most importantly, the risk analysis will answer questions about your critical business data: where it is located, who has access to it, who can move it around, and who is in charge of it. Critical Information is your intellectual property (IP)—the information that, if it became public, would cripple your business. It may be your price list, your patents, your CRM database. Whatever it is, you have to identify it and how to put the right mitigation around that information.
It’s not enough to recognize the danger of cyber crime. If you take action without adequate information, you could be left with a false sense of security. Start with risk assessment, and you’ll be assured of keeping the vital aspects of your business safe in case of an attack.