Cybersecurity – too much talk not enough action!

The RSA convention is now long gone, and cybersecurity has taken a back seat to sensationalistic reporting on security breaches and government policy.  It is almost like the larger security organisations and governments have taken their bat and ball and gone home.   We will see them all again at the next big convention where they can roll out their newest and greatest security product.

I have been harping on about cybersecurity and protecting small and medium business and not for profit organisations (SMB) from the cyber criminals for the last two years but the bigger security organisations seem to be only interested in selling their products and governments are more interested in controlling the attacked.    Neither are focusing on or thinking about a concerted effort to protect SME business ( except in their niche market, of course).

There is no overall and available Howto that can be used to bring SMB’s up to a consistently higher level of cyber security and resilience than using a particular product, complying with a particular rule or creating cyber resilience.   Business security is a combination of all three.

SMB’s need to take a holistic attitude to protecting their data from both internal and external threats.   It is no longer a case of using one product to achieve the total protection that the larger security companies are pushing – ” use our —  insert technology here — and you will be forever protected”    What a load of BULL.

The newest cloud, network or user based security widget is not going to create a complete cybersecurity environment for any business let alone SMB organisations with limited money and expertise.   The introduction of the widget will cover a small percentage of the total protection of the required business environment.    Don’t get me wrong, in it’s place the purchased widget will do the required job but it is not where business should stop.   Once the widget is in the business environment it has to be used within the holistic framework as a component of the whole.

SMB’s need a system that once applied will lift the business security to a level, where the bad guys will go after someone else – hopefully a competitor.   The system also needs to be able to adapt and change to meet emerging security requirements, including new technology and new compliance requirements.

You put a complete security systems in place to protect your intellectual property, your staff, your clients and your overall business from attacks.   We are not only talking about the outside cyber criminals and automated attacks, what about the disgruntled employee or overlooked IT staff, they are just as bigger threat to the business as anyone else.

So, as an SMB, where do you start.   There is no cheap way of securing your organisation, but there are ways to use available systems that will increase your awareness and protection without excessive costs.   There are four  areas where SMB’s need to focus.

 Business technology

This is the hardware and software that a business purchases to either protect the business or for the business to use to do “business”.   Anything to do with computers, laptops, servers, firewall, operating systems, applications, cloud or smart appliances (phones and tablets) is managed through this component.   The introduction of one type of technology could cover a number of requirements in the framework but not all of them.

Command, control and management

No matter what part of the business you are looking at there has to be some level of control and management, security is no different.   You have to put security systems in place around your business requirements, the problem is that the business still needs to function as well as protect the data and information that it uses to do business.   This is a fine line.


Like nature, all business needs to adapt to change otherwise they will perish.   Some large businesses have changed in such a way that they no longer resemble what they started off as.   The largest component of the adaptability component is resilience.   The ability to see opportunities and react in a beneficial way is important for any business but it is critical for an SMB.


The worst component of SMB security is the ability for the organisation to meet the compliance requirements.   Everyone hates an audit, one that can close down your business is even worse.   In a security framework the other three components are leading the organisation towards a compliant environment.  The compliance component is no longer a tick in the box type problem, it is the way the business IS.   By all means, tick the boxes on a compliance audit but it is so much better and easier in the long run to live within the compliance mantra.

Yes security is important, if not critical for SMB’s and the more organisations go digital, the more security will become paramount as a business driver.   Security not only means protecting your business but it also means protecting your most important asset – your clients and customers.   and here endeth the rant.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.