The time when companies could manage cyber-risks via their exposure (network, business, etc.) is long gone. Companies that refuse to take into account this risk could face consequences that go from “simple” data loss to civil liability from the part of the owner. Except some fields (defense, R&D, etc.), cyber-security is not part of corporate culture or the CEO’s concerns.
Here are some false misconceptions that lead to IT system security failure.
Forgetting that the main weakness is the user
The weak link in any IT system’s security is the user, but you just have to deal with it. Some user-friendly tools (BYOD, document sharing, etc.) can have serious consequences on data intrusion or leakage. Cyber-security means, first of all, best practices rather than a stack of security solutions reducing an IT system’s agility. Raising the CEO’s awareness on the (personal) risks incurred and the training of collaborators are the main rapid and sustainable improvement actions. Cyber-security elementary practices must be a part of corporate culture, much like production quality and striving for excellence.
Comforting yourself by saying that you are not the target
Given the weakness when considering cyber-risks, network interconnection and automation capacities, being visible is no longer enough to become a target since the cost of intrusion constantly decreases for the hacker. It has thus become vital to protect yourself for what you are. Training on best practices and the deployment of technical solutions must take place in a context that is neither paranoid, nor permissive. I thus recommend you to assess the consequences of an attack on your activity, clients, providers and collaborators to know how to react accordingly.
Thinking that you are secure enough
The tools used by users, intrusion practices and reliable solutions are continuously evolving. You may think that an up-to-date antivirus, firewall or a regularly special-list outsourced backup are the minimum legal safety criteria. However, this scope is not enough for digital companies. Without allocating significant resources, you must ensure regular up-to-date best practices for your collaborators, technical solutions and that the risks are incurred by the company based on its exposure, as well as implement continuous improvement practices.
Taking security into your own hands
An IT system’s security scope is no longer limited to Internet access, workstation antiviruses and the servers found in the company’s server room. Without requiring expert intervention, this scope needs specialists able to focus their attention on security failures that most impact a company’s activity. It is thus important to be regularly assisted.
Forgetting to integrate cyber-security in company risk management
At the highest company level, security is barely taken into account. The risks related to key persons, fire, and sales figure loss are often covered. I recommend you to inform yourself on warranty or liability insurance policies for cyber-risks. When statistics show that 50% of companies (worldwide) suffering a major IT disaster don’t make it for more than 18 months, you should protect your company against cyber-risks that are no longer considered hazards.
The Pentalog consultants assist their clients with the continuous improvement of their security practices. By means of audits, the definition of an adapted security policy, crisis management and improvement follow-up activities, these consultants adopt the security approaches necessary to protect your company against cyber-risks.