Security

Why is it Necessary?

Cyber security is often a neglected, unwanted topic in many businesses discussions. The tendency is to ignore security or become irritated when it is enforced. This is probably due to the natural tension between convenience and security. Convenience and security represent the opposite ends of a continuous spectrum. Usually, complete convenience is very insecure, while high levels of security can be quite inconvenient.

You need to decide where on that spectrum you should position your various systems. One needs to analyse the risks to decide what compromise between convenience and security is appropriate in each case. Different aspects of your business systems usually need to be positioned differently. For example, customer facing interfaces need to be convenient, while databases and systems that store or process sensitive data need to be secure.

Security is also neglected because some people cannot believe that anyone would actually want to attack their business. “What would they do with my spreadsheets?”, is a common question. But even seemingly innocuous data has value in cyber criminal markets. Hackers collect data about people and businesses and sell that to other hackers, who are constantly searching for vulnerable targets that suit their preferred methods of attack. The more criminals can find out about you, your business and its systems, the higher the risk that you might be targeted by more serious attacks. And nowadays those attacks are normally automated and run on large scales, so it’s seldom an actual person trying to breach your systems, more likely a malicious bot or a spider which has been fed a list of likely targets.

A good analogy is to think of a rich tourist naively wandering into a bad neighbourhood while conspicuously festooned with valuables. They may wander around blissfully for hours without incident, but that does not mean they are wise, or were ever safe. The internet connects your business to the whole world, which includes ALL the bad neighbourhoods and people in the world.

Many people underestimate the scale of the problem, or wait until disaster befalls them, before taking the necessary precautions.

Basic Principles of Security

All security, whether it be securing your home against burglars, or securing your database at work, requires the application of the same basic principles. The objective is to keep bad people away from your valuables, while allowing access to those you trust. Those valuables may include your family at home, other assets and possessions, or sensitive business data and information.

This is done by using a combination of the following basic elements:

  • Barriers
  • Detection
  • Response
  • Authentication
  • Authorisation

Most people only think of barriers, when it comes to security, because barriers keep people out. In cyber security terms, barriers can take the form of intangible concepts like firewalls, network access rules and encryption, but it does include physical barriers as well (for example, preventing physical access to your servers).

But any barrier can be breached, given enough time and effort. So it is folly to rely on barriers alone, especially when attackers can harness vast amounts of computing power, or trick you into accepting malicious software that will stealthily work away in the background to overcome the barriers protecting your valuables.

Barriers only buy you time, and if the barriers are weak, then that time might be much less than you think. You should use that time to respond in some way, to either eject the attacker before they are able to penetrate, or alternatively, remove your valuables from harms way. Effective response is what truly keeps you safe, not the barriers. But in order to respond in time, you need to be able to detect when someone (or agent) is where they should not be, or is behaving maliciously. That requires authentication (so that you know who people are), as well as authorisation (rules that provide access to trusted people, while keeping others out).

How We Can Help

Cyber security can be a very complex and complicated. To make matters worse, it’s a very dynamic topic. Attacks are constantly evolving and mutating. It is a subject for specialists.

We do not claim to be specialists. However, there are basic best practices every business should follow, which are often neglected, such as:

  • A register of valuables.
  • A risk assessment of the consequences in the event of valuables being compromised, and thus what protection is appropriate for each.
  • A basic security policy which sets out the processes and rules that will be applied in the business.
  • Authorisation and authentication methods and rules.
  • Password management.
  • Backup policies, methods and recovery procedures.
  • Best practice guidelines for application development.
  • Human resource policies and training.
  • Discounted BoxCryptor Licenses (encryption for cloud sharing systems like DropBox, Google Drive etc).

We offer basic consulting advice on how to go about getting these in place.