Author: Gary Hibberd

Date: 2nd February 2021

 

Before I jump right in and tell you the lies that some Consultants tell you, I wanted to make something perfectly clear;

 

I am a Consultant

There, I said it. I’m glad we cleared that up from the outset. It’s important to also know that I’m not talking about all Consultants here. Not all Consultants tell lies. But some do, and some of them do so without really knowing that they’re lying. Some Consultants are simply misinformed and are not very good, so I suppose we could forgive them for this. But some will lie to your face, smile as they do it and charge you the earth, to boot.

If you’re a Consultant, this blog is about those other Consultants, not you. You’re one of the good one’s (I’m reasonably sure of that).

If you’re someone thinking of using a Consultant, then here are three things that they may tell you, which are not true (aka, they’re a liar liar with their pants on fire!). Please tell me if you’ve ever heard these, or perhaps there are others you’ve come across? I’d love to hear them.  Here are the top’ three fibs’ I’ve heard…

 

You can’t do Security/Data Protection/Business Continuity without a Consultant

Really? Are you sure? A Consultants job is to make the whole process as simple as possible and guide you on your journey to becoming more secure and resilient. But to say you can’t do it yourself isn’t true. Will it take you longer on your own? Yes, probably. Will you need to upskill yourself in these topics? Yes, definitely.

Cybersecurity, Data Protection and Business Continuity are professions in their own right. There are plenty of professionals out there who have dedicated hours, months and years to understand the policies, processes and technologies required to make you more secure.  You will have to dedicate time to learning these disciplines and have a clear vision of the end result you’re looking for.

A Consultant can make the process easier, in the same way, that a builder makes the process for building an extension on your house! But it doesn’t mean you can’t do it alone. 

I prefer a much more collaborative approach when I work with clients, as I embark on a process of ‘knowledge transfer’, so that they are ultimately able to be self-sufficient and proficient in the areas of key concern. 

I would always advise on speaking to a Consultant about these topics, but you can, if you have the time and inclination, do a great job without the need for external assistance.

As I often say to people; Cybersecurity is a complex topic, but it doesn’t need to be complicated.

My advice is to start with the basics; You can’t protect what you don’t understand, so start with a little careful introspection.  Ask and answer the following questions;

  1. Do you have a clear objective for Security (what are you trying to achieve?)
  2. What Security (or Data Protection) related policies do you have in place?
  3. What systems do you? (e.g. SAGE Pay, SalesForce, Hootsuite etc)
  4. What data do you hold in those systems?
  5. Where are these systems located? (i.e. is your Data in Europe or further afield?)
  6. Who manages your Cloud services (If you use Cloud services)
  7. Who has access to these systems?
  8. What Security is in place to protect these systems?
  9. What could someone do with the data (in these systems) if it was lost/stolen?
  10. What would be the impact on your business if you couldn’t access this data?

You’ll start to build a picture of the risks and issues that need to be addressed by doing this.  Think of the risks associated with; People, Premises, Processes, PC’s and Providers, and if you have gaps in your understanding, then this is where to start.

Start simple. Start with small steps. But start. It’s really not complicated.

 

We can make you GDPR Compliant

If you hear these words uttered from a Consultant (or salesperson), you are officially allowed to grab a wet fish and slap them around the face (I may have made that up, so please use that advice with caution).

There is no such thing as GDPR Compliant. No one is GDPR Compliant because GDPR is an outcome-focused regulation. This means you need to demonstrate you are complying with the regulations by building a body of evidence, that you’re abiding by the regulation’s principles. It is a principle-based regulation, rather than rule-based and therefore you need to do a range of things to demonstrate that you’re acting in accordance with the regulation.

You can’t simply install some software, or use a single service to ‘make you GDPR compliant’. That’s like going to the gym and using the treadmill and saying “I’m now healthy”. ‘healthy’ compared to what? Compared to who? Are you as healthy as Mo Farrar? As Usain Bolt? As me?! GDPR compliance is wholistic enterprise and is made up of many parts. Don’t be fooled into taking a magic pill (service or software) and think all your problems will go away. They won’t.

Finally, let me say that although some might think that due to BREXIT we don’t need to worry about GDPR, but that is a bit of misinformation, rather than a lie.  We probably should call it EU GDPR now, to give it it’s full name. But the UK Data Protection Act 2018 encompasses the principles of the GDPR. So it’s still something you need to be aware of.

 

Our solution can make you 100% secure

This is an easy one to dispel and to be honest we are (thankfully) hearing this, less and less. But it is still uttered amongst salespeople and Consultants who are pushing their own agendas.

To be clear; There is no such thing as 100% secure. There is certainly ‘more secure than the next person’, but if a Cybercriminal and/or Hacker targets you then there is a good chance you’re in trouble! This doesn’t mean you shouldn’t do all you can to stack the odds in your favour and take appropriate measures to protect yourself from attack. 

Everything you can do to protect yourself from attack or from a breach puts you at a greater probability of not becoming the next victim of Cybercrime, and not becoming another case study for me to write about. Just in the same way that you lock your house windows, doors, and gates, and put on alarms, Cybersecurity is about putting in multiple forms of defence that reduce the risk of an attack. 

But just like your home, nothing is 100% secure. If someone wants to get in, they will. All they need to do is find that ‘chink’ in your armour, or gap in your defences. The more complacent you are, the easier it becomes. This is why this last ‘whopper’ is so dangerous. It’s tantamount to a double-glazing salesman saying that you’ll never be a victim of burglary because you bought their windows… But what about the garage door you left open? Or the front door you didn’t secure?

No one device/service/system will protect you. Security in depth is the principle we need to apply.

 

Conclusion

I love being a Consultant, and I know some fantastic Consultants too. But there are some snakes out there too. Remember that a dog will cower and look down when they know they’ve done wrong; A snake will look you straight in the eye as they bite. 

Learn to spot the difference.

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >