I was discussing cybersecurity recently with an experienced IT consultant. He works with a variety of clients, and some of them are reluctant to invest in security. He summarised the five common reasons given by clients. I’ve shown these below, together with my thoughts.
Firstly it’s the risk factor that ‘it probably won’t happen to me’.
Given the number of automated attacks against Internet connected servers (web, email, remote access), constant phishing emails and online fraud, it is highly likely that their organisation will be attacked. Geographical distance is no protection, and neither is size of business.
Secondly its the decision maker level who don’t understand technology – and unfortunately techies aren’t the best at giving business reasons for the ‘why’.
For the decision makers the conversation should not be around technology but business risk. How much brand damage they are happy to suffer, potential lost revenue, what explanation they will provide to their directors as to why they didn’t invest in security.
Thirdly it’s genuinely the cost – high levels of security can cost quite a bit.
This really comes down to identifying the likelihood and impact of an attack or incident, and the cost of protecting against it. Organisations should be doing this and creating a plan so that investment will created the greatest reduction in risk.
There is also the hassle of having to run through additional security procedures, like 2FA involving extra steps, complex passwords, biometrics.
Two factor authentication (2FA) is one of the most critical security investments an organisation can make. It can be implemented so that it provides protection without the hassle. It should only prompt on remote access, users should acknowledge a prompt on their mobile rather than having to enter codes, and they should have the option to remember their device (e.g. laptop) for a period of time (usually 30 days) which will reduce the number of times they are prompted.
Final issue that i’ve heard was that companies have invested thousands after a security audit and it turns out it’s protected them that day, but the next day there is a new threat on their environment – so a continually moving target.
There is a lot of hype from cybersecurity vendors about the latest threats. However in my experience there are a core set of security measures that never become outdated. These include 2FA, patching, restricted admin rights, management reporting, good payment policies, good privacy policies, standards for web development, standards for IT suppliers. There will always be a need to review cybersecurity risks (this should be done annually) but many new threats will be mitigated by the basic security measures above.
Cybersecurity can be approached in a measured, cost-effective way that reduces business risk. If you’d like to learn more about how we help organisations then please get in touch.