So, IT Security is the same as Cyber Security, right? Well, no, that’s wrong. That surprises a lot of people, so let’s explore it a bit. There is clearly a close symbiotic relationship between the two disciplines. I would argue, and I know this might meet with some disagreement, that IT security refers to traditional IT security methods which are technology based. Such as firewalls, anti-malware, end point protection etc etc. Whilst Cyber security is based very much on risk management which combines controls which are both non-technical and technical.
Within the SME world this tends to mean that there is an almost total reliance on third party IT providers. Is that a good thing, after all that’s in their area of expertise and responsibility, isn’t it? And here comes the controversial bit. Third party IT providers, particularly in the SME space, are pretty much exclusively value added resellers or VARs, i.e., companies that sell other peoples products. Now I’ve no problem with that per se, but it comes with issues. Notable amongst them is that these companies will have skill sets that are very much limited to the products they sell. Ie they are proficient in the installation and configuration of those products and their clients are offered those products whether or not they are best in class, or more importantly, whether they are the most appropriate for the task. Before I get a social media pile on, I know that some of the bigger VARs do sell multiple vendors products, but they are in a minority.
Before we go any further, let’s briefly explore some issues that are common amongst SMEs. Some common myths first:
- Small to medium size businesses are not worth attacking.
- Cyber Security is an IT Issue.
- Technology will keep me safe.
- My policies and procedures are up to the job.
- My staff are young and have been brought up with IT. They know the score.
Now let’s look at some of the more common issues that we see often amongst SMEs:
- Lack of awareness around the current real-world cybersecurity risks
- False sense of security, with a heavy reliance and dependence on an external IT third-party provider
- Lack of cybersecurity knowledge, and understanding
- Poor cybersecurity maturity and posture within their businesses
- Lack of staff training (at all levels) – just like Health & Safety, cybersecurity is everyone’s responsibility
So, what does Cyber Security give you that IT Security doesn’t. Well, it looks at the risk management issues that you might be facing. For example, it’s looking at things is a very specific way. That being people, process and then technology. Do your staff understand what the threats are that face all businesses today? Would they recognise a scam if they saw it coming? Would they recognise a social engineering attack and be able to deflect it. Most scams will beat technology every time, and it is the most common way of taking SMEs for a lot of money, by far.
Policies and process is another very interesting area. It often surprises many SMEs when they are shown just how much can be deflected by good policies and processes, rolled out and understood by all staff, and monitored. Sadly, only too often, we see policies that have been downloaded from the internet, topped and tailed, and taken into use – tick in the box, right. Wrong!! About as much use as a chocolate fireguard.
So how does a cyber security professional go about things. As I’ve already said, it’s about risk management and before you can mitigate a risk, you have to identify it. Risk in this instance is defined by identifying the threats, and that is a bit of skill in itself, and then identifying how vulnerable you are to those risks. Threat + vulnerability = risk. Sounds bit of a lengthy and expensive process for an SME doesn’t it? Well no. Here at H2 we have a subscription pricing model which makes it very affordable and our solutions are appropriate because they are targeted a real risks which enable you to target your spend where it is going to do the most good and you’re not wasting money are expensive tech that you can’t be sure you even need. Of course this doesn’t mean you won’t need some tech, as I said, mitigations are people, process and then technology.