Perpetrating the myth that this is all you need to secure your business environment against cybercrime

How many times do we see it?   Purchase this widget and your business will be secure.   What a load of piffle!!!

The cyber and data security of any small and medium business and not for profit organisation can not be handled by a single simple application or hardware components.

Let’s look at normal physical business security.

Any organisation, who has an office will start by putting on a front and back door lock.   These locks have restricted access so only trusted people can get in with a key or card or biometrics.   What about the windows, let’s now put locks on them if they open and reinforce them if they do not.   Do we need to look at the roof, can someone get up there and go through the roof? We need to make sure that that is secure.

So that will now stop the casual thief, from the outside anyway.   What about the persistent thief.   The lock may not protect you from the thief with a crow bar or from the thief driving a car through your front door.   To protect our business we need to put in bollards so that a car cannot get into the building and reinforced doors so the crow bar is ineffective.

We now also need to put in alarms.  These will protect your business if some unauthorised person get in.    Once again we need trusted people on staff to disarm and arm the alarm.   We also need to make sure that the alarm has a very loud bell to scare off the would be thief and it also has some level of monitoring.   But what happens if someone cuts the power, we need to have some sort of redundant power system so that the alarm is always working.

We now need to make sure that a client in reception can not steal from the back room.   We could put in biometrics if the cost can be justified or a number lock – to segregate the businesses.   We have now segregated the office into sections that have different authorisation levels.   We also need to make sure that the trusted staff cannot walk out the door with business critical information and equipment.  The secret squirrel stuff can be protected with RFID on all files and scanners on all of the doors.

So our office is now nice and snugly, it is secure and safe.   Is it?   What about a direct assault on the office during business hours.   Lets put a panic button system on the alarm and the police can be on site in minutes.   Finally what happens when there is a fire, flood, tornado or earthquake.    The alarm will go mad and tell everyone that something has happened and the alarm will tell you and anyone within hearing.

You have put all of these deterrents in place and if you approached an insurance broker you can prove that you are less of a risk because of what you have done.   It could even reduce your premium.   It is not over what about the next best clever thief, (maybe he is invisible), how do we protect against him.

So that is just for the office.    There is no single feature that we deployed in the above office that will totally protect you.   It is a combination of it all.    Cybersecurity management is similar.   There is no single widget that will create a secure business environment.

As a cybersecurity focus you need to apply

  • Technology – the locks on the doors and windows, the alarm system,  RFID.
  • Management – who is allowed to turn off alarms and authorise access. Who has access to secret squirrel information.   The segregation of business components in the office.
  • Adaptability – risk analysis of all of the threats to the business and putting solutions in place to mitigate those risks.  We also need redundant systems to keep it all going in case of disaster.
  •  Compliance – the insurance broker checking your office.  Using the systems in place to protect the business

So as I said there is no single thing that you can install into your business that will make it secure by just installing it.   You need to have an interlocking system that will protect your business from the most determined thief or cyber criminal.   Don’t just listen to the hype from the sales people!

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.