Cyber Security: Starting with the Basics

From Equifax to the UK’s National Health Service to Target, Panera Bread, and FedEx, major cyberattacks are rarely out of the news lately. No organization should consider itself safe from a cyberattack when governments and major corporations with strong cyber security strategies are being affected.

Assuming you’re not a government entity or a large corporation, you might believe that you’re not a target for cyberattacks, especially if you don’t have “valuable” information to protect that’s proprietary or sensitive data. However, even companies that don’t have valuable or sensitive data to protect can be affected by a cyber-attack if it immobilized operations or access to key user services. Both DDOS and ransomware attacks are designed to stop operations or the revenue stream and negatively impact most businesses.

Information Security vs. Cyber Security

Information security and cyber security can cover a broad range of security focused activities. From protecting information against unauthorized access and diverse types of misuse to a concerted attack by a government, terrorist group, or criminal enterprise.

So how do you draw the line between information security and cyber security? When you search “difference between information security and cyber security” you can get hundreds of different answers and sifting through the delineations can be overwhelming at best, and splitting hairs at worst.

Our advice to you? Don’t get bogged down in the definitions and details. Instead, take a few steps back to simplify your approach to make sure you are addressing all the basic security risks specific to your organization. Usually this can make your risk environment easier to understand which typically results in more usable solutions for your security program.

Building a Strong Security Program

Make sure you have answered all the basic security questions before you invest and grow your organization’s security program. If your organization is just starting down this road, make sure you have answered these basic questions first. For example:

  1. Do we have any valuable or sensitive data that should be protected?
  2. Have we identified the system components and assets that receive, store, process, or transmit confidential data?
  3. How are those system components and assets properly secured?

If your organization has a more developed security environment, then start by answering some basic questions to address cyber security. For example:

  1. Do we need cyber security insurance?
  2. Who is responsible for our cyber security program?
  3. Do we have a plan in place for when a security incident or breach occurs, and has that plan been tested recently?
  4. Do we have end-point protection on mobile devices?

Lastly, look for any low hanging fruit and identify security risks that could be easily improved or that are often overlooked. For example:

  1. Do we provide security training for our employees and end-users?
  2. Do we use legacy or end-of-life systems that are no longer maintained or supported; if so, how are those systems protected?
  3. Have we identified all the risks from external dependencies and third-party vendors?
Look Before You Leap

We are constantly seeing more and more stories of cyber-attacks in the news. Although this type of data breach gets most of the press coverage, we see again-and again that it’s human error or lack of basic security processes that is the primary cause of a data incident or breach.

The Information Commissioner’s Office (ICO) compiles a quarterly data security incident trends report about the key causes of reported data security incidents. In the first quarter (Jan-March) of 2018, most of the leading causes resulted from human errors or process failures. Looking at these stats, the best security systems in the world may not save your organization from the irreversible damage a data breach can cause.

Make sure your organization has taken the time to understand your security environment and program before purchasing the next big security technology or “catch-all” solution. If you don’t, you could be investing your organization’s future on a bed of sand.

If you have any questions about where to go next, please don’t hesitate to reach out to us. We’re here to help.