Blog, News, and Articles

‹ Back

If I had to give only three pieces of advice to a company around information and cyber security threats, I would give the following advice.

 

1. Listen to what you are being told about cyber and information security best practise.

 

• There are plenty of good sources of information about information and cyber security on the internet and the real world. The reason that advice is there is that the threat is real, companies are being attacked all the time. Security by obscurity does not exist anymore. If you look at an email inbox you will see poorly written, easily identifiable phishing attacks this shows you are at risk. Many of the attacks (volume wise) against a company won't succeed as the attacker is poorly skilled and trying their luck but they will get luck at some point due to a lapse in concentration or some other form of human error and get to a successful completion of their attack. There are so the less frequent (low volume) more skilled attackers where you need to bolster your defences to ensure they don't succeed.    

 

1. Implement the best practise you have been told about, don't just listen, and do nothing

 

• There will be a multitude of best practise offered to you some simple and easy to implement, other best practise involves implement costly controls. You need to decide to what level of implementation you need to go, doing nothing is not an option, implementing everything is required when your crown jewels are worth a lot to you, your customers and the threat actors -large volumes of personal identifiable information, financial data, payment card details, intellectual property all can be easily monetised making attacking you worthwhile for the skilled attacker. For many companies it is a point in-between doing nothing and doing everything, that point depends on your risk appetite as professional call it, how much are you prepared to invest in security controls to ensure it doesn't cost your business by having a successful breach.

 

1. Continue to monitor, listen and implement best practise.

 

• Nothing stays still advice gets better, new threats arise the value of your crown jewels can go up and down meaning you need to keep evaluating your risk appetite as to what controls you need to implement to protect your company. Keep listening to the sources of best practices, found some that you can trust and stick with them but don't be afraid to try new sources. Yes, some people will try and frighten you and sell you that silver bullet to solve all your problems.

 

There is a lot of advice I would give companies and given a chance I will talk all week about cyber and information security. Don't let that put you off from asking for advice.

 

My viewpoint is security should be an enabler for your business to achieve its mission in a secure manner. Security should be pragmatic and appropriate to the risk you face, you know your company I know about security together we can develop the approach that meets your needs.