You wouldn’t build a house on a shoddy foundation. You wouldn’t buy a car without first checking the engine. So why do so many businesses seem to assume they can stay secure just by spending a bit of money?
Let’s start things off with an analogy.
There once was a very foolish king who had a vault filled with treasure. Paranoid that someone might steal from him, he spent thousands on elaborate security measures to turn his castle into a nigh-impenetrable fortress. Unfortunately, in his zeal, he completely neglected to train or hire disciplined guards to man that fortress.
When one of his rivals realized that, they talked their way in, had one of the king’s men guide them past the traps, and made off with all his treasure - the king was ruined.
The lesson behind this analogy should be quite clear. It doesn’t matter how much money you pour into advanced cybersecurity technology if you don’t have a strong foundation to back it up. Without a cybersecurity-focused culture and properly-trained staff, even an advanced system won’t protect your data for long.
Hackers have always sought the path of least resistance, and they always will. If a criminal who’s sizing your business up as a target realizes its infrastructure is nearly impenetrable, they’ll simply target your people. And if you haven’t done the necessary legwork to train those people up, all the money you put into those shiny security features is just wasted capital.
Spending more is not a suitable strategy for protecting your business. Instead, you need to spend smarter. You need to be smarter.
There are a few steps you should take in that regard.
Make Security a Company-Wide Effort
Perhaps at one time in the past, cybersecurity was solely the domain of the IT department. In an era where everyone carries smartphones and even a low-level worker can potentially cause a data breach, that’s no longer the case. Everyone should understand their role in protecting company data.
Moreover, everyone should have a solid grasp of the fundamentals. How to recognize a phishing attack, what’s involved in creating a strong password, how to tell if an app is malicious, why public WiFi is to be avoided, and so on.
Take a Multi-Tiered Approach to Protect Your Systems and Data
People, software, systems, and data. Cybersecurity is like a set of doors, each leading to the same place - your protected assets. Each door needs to be well-guarded, or you might as well not guard any of them.
Sure, you might have a good MDM platform in place, but how will you control files when they’re outside your perimeter? How can you ensure employees aren’t doing unsafe things with their devices? How can you keep corporate apps safe and walled-off from potentially malicious consumer apps?
Understand Your Risk Profile
Who is targeting your business, and why? What data and systems do you need to protect, and why do you need to protect them? What’s the biggest risk you face, and what measures have you taken to address that risk?
These questions are critical, and if you’re going to properly direct your cyber security efforts, you need to answer them. You also need to think about…
Access control. Who can access your most important assets, and who needs to access them regularly?
Value. Which assets are most valuable to a criminal?
Weak Points. Through regular penetration tests and evaluations, where are your security ‘blind spots?’
Monitor Everything. How does your data flow through your network? How is it used and accessed by employees?
Good Policies Are Your Friend
In addition to training your staff and protecting your software, hardware, and files, you also need to secure your business processes themselves. What I mean is that you need policies which ensure security is baked straight into the DNA of your organization. These include.
Authentication. Take a “zero trust” approach. Authenticate everything and everyone, but establish clearly how and why those authentication processes will be applied.
Acceptable Use. Make it clear how employees can use company property such as smartphones and laptops in the workplace - and what’s against the rules.
Passwords. Enforce good password habits. We’ve seen too many systems protected with credentials like ‘admin’ or ‘password.’
Incident Response. When the worst happens, you can’t be caught unawares. Have a plan in place for every type of cyber incident your business will face - and a general-purpose plan in the event it faces one you weren’t aware existed.
Last but certainly not least, cybersecurity is an ongoing process - you’re never truly “done” with it. It’s critical you remember this going forward. Never allow yourself (or your staff) to grow complacent. Complacency is what causes data breaches, as it leads directly to carelessness.
Don’t be like the foolish king. Train your staff. Understand your weaknesses. Get the fundamentals down first - then when you do spend money on your infrastructure, you’ll know exactly where you need to spend it.
Oh, and one last thing? Patch your systems. Outdated infrastructure is one of the leading players in cyber incidents. Even WannaCry, the most devastating ransomware of all time, only caused the damage it did because of unpatched, out of date operating systems.