Guest blog courtesy of Michael Carr, 2Tela
During conversations with business owners a common set of responses is returned when the topic of cyber security rises.
“Who’s going to target us?”
“We’re not big enough to need any of that!”
“It’s OK, my IT support company does all that for me.”
In a sense there is an element of truth in the statement “who’s going to target us”. In the past, and this is not that long ago, hackers and cyber criminals conducted their devious operations by the skill of their hands and knowledge. Hacks where manual so effort vs reward would very much suggest ‘go big’ and go for targets that have deep financial pockets to afford the ransom or scam.
And then suddenly, we enter a world of Cloud Computing and Software as a Service (SaaS). What a game changer, no more expensive bits of IT kit whirring in offices, all your data and applications just a mere browser away!
This stumped the hackers and cyber criminals, as big IT providers like Microsoft and Google having an exponential budget dedicated to cyber security almost makes the art of hacking a historic IT thing – think fax machines!
However, hackers and cyber criminals are not stupid, nor are they deterred by change. They embraced change and focussed their efforts on what Cloud Computing and SaaS provide the everyday user. Massive amounts of computing power, exponentials amount of valuable data and more access points than ever imaginable. Yes, the hackers and cyber criminals embraced the new way of working, and now focus on what and where they can exploit the new ways of IT.
They developed their own set of SaaS services especially for the hacking and cyber criminal community. Now new hackers to the game of cyber criminality do not have to ‘know’ how to hack. Just add in a country code or top level domain (TLD) such as “.co.uk” and the machines will happily tick away doing the hacking work for their masters. This indiscriminate targeting is worse, as the machines and their operators can try all sorts of techniques, which you as a business owner need some sort of protection against.
This leads me onto the second response “we’re not big enough to need any of that”. Banks used to spend a considerable amount of money protecting their IT systems. If you were a cyber security provider with a banking client, it was happy days. Banks wanted the latest technology and had the resources to pay. And to a degree they needed it. Hackers were clever, banks have lots of money and therefore needed to be at the head of the race.
That was then, now things are very different. Hackers and cyber criminals use IT as much as any business. Why manually send an email when you can write a little application to do it ‘en masse’ for you. Why try and break through a firewall when someone’s credentials let you straight through. No longer having to physically scope out a business premises, as everything is online and connected to the internet!
So, when you think you are ‘not big enough’, think about the adversaries. They are no longer individuals bashing out commands on a keyboard, but lots of computers running programs that are extensively targeting your business, all because you have an IP address or use Microsoft 365 (for example).
And this leads on to the last point “it’s OK, my IT support company does all that for me”. If only that were true.
All service providers will deliver a) what they are contracted to and b) what they can actually deliver.
Cyber security has 3 fundamental components – people, process, and technology.
People are and will remain the primary operator of security. Irrespective of the role in any business, its’ people are the driving force behind building a culture of cyber security, where each person understands their role in defending the business from cyber threats.
Processes are the rules of how to work. Processes drive everything we do. Without processes there will be chaos, everyone doing things in different ways. Cyber security is no different, within each process there will be some cyber security influence in terms of what happens next. It could be entering a password, it could be reporting the email as it looks wrong. Processes allow your people to follow the same steps without misinterpretation.
Technology is the component that allows the identified controls within processes to integrate with your people. It’s the bit you often buy but not often implement correctly. This is because technology purchases are quick and easy whereas working out how you want it to work and how it interacts within your business processes is often complicated.
What an IT support provider can provide is technology. However, their remit often ends just there. All business needs to understand how they work, what threats are present within their business operations and what they want to do about it.
A policy can be just as important as a firewall. An education program can have more impact than a ‘block box with flashing lights’.
Many a conversation has been had following an assessment where on paper a business is as insecure as a house with no doors and windows.
Cyber security is the interface between your people, how they work and the technology that supports it. Good cyber security supports the business (or does not negatively impact the running of the business) whilst providing protection at key points of a business process.
IT support can support your IT bits and pieces, but it certainly does not look at how you protect your users from someone calling in and pretending to be a senior manager and requesting a bank transfer.
If you’d like more information about cyber security, then please get in touch. Contact us on 01903 688789, or email makeithappen@mbsmih.com and we’d be happy to introduce you to Mike!