Advise – the secret weapon for data security

I was recently invited to speak at a conference where the audience contained over 200 CEO’s and business leaders from across Europe. It was an event with some incredible speakers, and I had been invited along to talk about the evolution of cybercrime. I was also asked to explain how data is used by both conventional business and organised crime.

My talk focused on the need to improve technical security but also on the need to educate end-users; Highlighting the importance of upgrading our technical and human firewalls. It was during the Q&A section of my talk that the head of an organisation asked the following;

“We spend over €10 million per annum on technical security. How do I know it’s effective and how should I spend it?”

On the face-of-it, this is an almost impossible question to answer. But I did have an answer for her.

“If you don’t know it’s effective, then stop spending it on IT now, and invest in some advice.”

The squeaky wheel…

While my reply may seem glib, it is 100% accurate. Why spend money in an area that might not need it? For far too long we’ve approached cybersecurity as an IT issue and/or a technical issue. As if it’s an issue that can only be solved by looking at the IT department and saying “Hey you! Fix it!”. But we do this while neglecting the users of the technology as if they don’t have an impact on how successful cybersecurity can be.

But, because headlines are full of stories of how hackers have broken into organisations due to weak networks, the IT department is often charged with ensuring data is secured. So the budget for cybersecurity all too often goes to the IT department, and them alone. So, IT departments invest in cloud, end-point security, and data centres that are secure. None-of-which comes cheap, and while it’s money well spent – it shouldn’t be the only focus for businesses. But as the saying goes, the squeaky wheel gets the oil.

If data is our most valuable asset, we need to recognise that every part of the business needs to get involved. So how do we ensure this happens effectively?

Lets Talk

Whilst many organisation leaders now recognise that cybersecurity is about more than technology, they are still placing their entire cybersecurity budget with the IT department. I can usually tell how good an organisations security is by asking just three questions;

1)    Do you have a budget for cybersecurity?
2)    Where does that budget sit?
3)    What has it been spent on in the last 12mths?

The answers to these questions will be very revealing, and you should ask them of your board too. If the answer is; £xx,xxx, IT, and technical solutions. Then chances are that you are going to be leaving yourself vulnerable to cyberattack.

There are no Silver Bullets

There are no ‘silver bullets’ in cybersecurity because there’s no ‘one thing’ that can solve all your cybersecurity concerns. But the secret weapon of cybersecurity is seeking advice outside of the IT department. It may sound simple, but if your only tool is a hammer, then every problem looks like a nail.

It’s not only important to remember that no one tool can solve all your problems, not just because cybersecurity is a multi-dimensional problem, but because every organisation is individual and different. Therefore you need to look at your organisation through the lens of cybersecurity. If you can’t do it alone, then get advice on how to do it.

Our Approach

At Cyberfort we have an approach to assessing an organisation against cybersecurity frameworks, giving you a better understanding of your risks and vulnerabilities. How do we do this, and how can you do the same? Of course, it takes time to learn the technical aspects of security standards like ISO27001, PCI-DSS and Cyber Essentials, so approaching this topic from a more pragmatic perspective could help you almost immediately.  So here’s what you should do.

Understand the risks

Firstly, ask each of your departments (HR, Finance, Sales, Marketing etc) “What Data do you hold?. You may have already done this under a GDPR programme, so use that information to inform your next step.

Next, you need to perform a risk assessment. However we approach it from a different point of view. We don’t ask ‘What are the risks to the Data’? We ask “What would be the impact if we lost the Data?” Why do we ask this? Because it focuses the mind on the ‘pain’ of losing information. It’s a subtle but important shift in thinking about risk and catches many people off-guard.  

Now you have a view of the impact, you can ask a further searching question, “How could this happen?” Here we’re looking for the vulnerability. So responses might include “An employee sends the Data to the wrong place.” Or “Hackers gain access to the Client Database.” There could be multiple scenarios, but psychologically we are better at imaging past events, than imaging future possibilities. This is why this approach is so powerful and turns traditional Risk Management on its head.

Finally, once you have the above information you can ask “What do we do, and what can we do to prevent these things happening?” Here we have two questions in one, but again this will help you understand what current controls are in place, and what more can be done … and THIS is where you will now focus your budget and attention. This is traditionally (and technically) known as the ‘vulnerability assessment’, and of course can be quite detailed. But fundamentally it’s about asking HOW can these scenarios come to fruition?

Seek to understand, and then to be understood

Asking questions is the foundation of good cybersecurity. But it’s asking the right questions in the right way that adds greatest value. At Cyberfort I believe we have a relatively unique approach to cybersecurity in that we don’t merely focus on technology, because technology is only part of the solution. We focus on what is needed and seek to understand how we can protect you more effectively.

It’s important that you seek to understand how Data is used, how it could be lost, and how it is protected, across the entirety of your organisation. By doing so you’ll know where to focus your attention and therefore your budget. Had the CEO taken this approach, she would perhaps have been able use the  €10 million on IT security more effectively and spent some of this on staff training, or increased physical security (e.g. shredders). She may even have been able to reduce the overall budget altogether.

Conclusion

There are no silver bullets to cybersecurity, but the secret weapon is collaboration and asking searching questions. Succinctly put; the secret weapon is seeking good advice. If you’re having difficulty knowing where to spend your cybersecurity budget, perhaps spend it on gaining deeper insights into your cybersecurity processes in the first place, and ask for advice.

But remember that many receive advice. But only the wise profit from it.