Why do we think the internet is SAFE? Cybersecurity is a holistic process.

In a recent poll by Symantec of small and medium business and not for profit organisations 77% of the businesses asked were worried about a cyber security attack, but 83% did not have a formal security policy in place for the business.

This highlights the attitude of most SME’s, that if they implement a hardware or software solution that their business is safe.   Although It does show the impact of a good marketing and sales campaign it does not fully protect your business.

National Cyber Security Alliance executive director Michael Kaiser said in a statement. “A data breach or hacking incident can really harm SMBs and unfortunately lead to a lack of trust from consumers, partners and suppliers. Small businesses must make plans to protect their businesses from cyber-threats and help employees stay safe online.”

Obviously the problem can be seen as systemic in SME’s, but most of the problems come for a lack of understanding not a lack of care.    If you are told that ” X is the only thing you need to protect your business” then most business people will accept that and go out and buy X.

The problem is that X is NOT the only thing you need.   Business security and cybersecurity needs to be looked at holistically.   Cybersecurity is not a set and forget process.   It is a living, breathing process that has to be managed and nurtured regularly.

All business are connected to the Internet in some way.   From basic email on an tablet for a tradie, to a full blown CRM package with all of the bells and whistles for a Multi national, their common denominator is the Internet.    Protection of the business from the Internet is usually only focused on the actual connection.    This is only a very small facet of making sure that your information, all of your critical business information is safe.

There are four components of good business security.    Yes you can install and configure a really expensive firewall but this is only hardware and software, it is only technology.    Technology is one of the components of a good security system.   Technology is the hardware, software, VPN, wireless, patch management, end point protection of the business.   Technology cannot stand on its own to protect your business.   You need an additional three components to create a secure envelope around your business.

The other components are management, sustainability and compliance.   The management components looks after your policies, procedures and processes, it takes into account your staff training and is also focused on auditing and reporting.   This component tracks what is happening in real time.

The next component is sustainability, this looks at your risk management and assessment, disaster recovery, business continuity, backups as well as your business culture and resilience.   If something does get through your security envelope you need to have a place to go back to.

The final component is your compliance.  If you have the technology, management and sustainability in place then the compliance requirements for your business are already partially covered.   If you cover your compliance requirements to a level where an audit is passed then you will also tighten up the other three components and create a really secure business environment.

Looking from a holistic point of view, cybersecurity can only be achieved with the right attitude.   You can spend thousands of dollars of hardware and still not be protected to a compliance level.

Not only do SME’s have to manage the changing landscape of normal business practice.   They have to also handle the prickly subjects of BYOD, cloud computing and social media as well as the future tech that is coming through tomorrow.   What policies and procedures have you applied to your business to manage these invasive technology?

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.