Have you ever wondered why protecting your business from cyber attacks is so difficult? Many claim they are experts in Security, but businesses of all size seem to struggle with the same basic concepts. In this post I'll go over the top 5 Basic Cybersecurity concepts that I think business of all sizes struggle with, and what you can do about it. Let's get to it!
#1 - Getting Started with Cybersecurity
I can tell you there have been countless times where I have walked into a Server room, and as I am talking to the IT Manager, Business Owners, or other leaders about Cybersecurity, it becomes quickly apparent that there's a massive assumption that it was sort of being taken care of on its own, magically. Like a magical lamp that sits in the server room and grants them their security wishes.
This isn't new, and anyone who hasn't experienced it before likely believes that "IT Security" is sort of what everyone does in a general sense, and just assumes it's being done. Very few people get to experience cybersecurity from a person genuinely trained in the craft, and because it's a hard skill to develop, many just assume whatever they were doing is effective enough.
What should I do?
Get Management Backing
If your management isn't on board, you can't do anything. There may be people out there who are OK with trying to enforce policies from a bottom up strategy, but I have seen it fail every time without the upper management supporting it.
Talk to your leaders, explain why security matters and why you need to take a proactive approach. Work with your management to make this a top down effort, and you'll be far more successful in your effort.
#2 - Budget
From a Small Storefront, to a large scale enterprise organization, cybersecurity often gets stuck at the hurdle of "Why should we spend money on this?". Despite the volume of expert opinions out there explaining why you should, many businesses struggle to justify the cost of spending money on cybersecurity.
Even in larger organizations, where cybersecurity measures are mandated by law or by regulatory compliance, it's still a debate amongst leadership teams if cybersecurity is worth spending money and time on. It usually takes an incident to "make it real" to someone in charge before attention is given to the topic, which is like buying fire insurance after your house burns down. By the time you decide to invest in it, it's already too late.
The thing that always confuses me in conversations with business owners is the mindset that security is just a cost rather than an investment—something they can simply avoid to save money. You know what I’ve never seen? A business owner who’s happy when their critical systems go down, bringing productivity to a halt due to a security incident. Not once. And I doubt I ever will.
What can we do?
Find out the "Real Cost" of an outage
While many businesses can't tell you how much they are worth in an hour, by taking the valuation of the company and dividing it by hours, you can get a rough estimation on how much the business costs to run. As an example, a business that is worth roughly 10 Million Dollars a year is worth about $1142/hr. This does include weekends, holidays and after hours time, so adjust as needed for your business model. Once you know that, you can start to quantify cost of business vs cost of protecting business assets.
Lets walk through the exercise of using redundancy. Lets say your business requires a web application to generate revenue, and this revenue is tied to the cost we estimated above (1142/hr). If we calculate a Single Loss Expectancy of the hourly value of the asset, and multiply that by the average outage duration (Lets say 4 hours), we get a Single Loss Expectancy of $4,568. If that server goes down 3 times in a year , it costs the business $13,704 (Annual Loss Expectancy) in that year.
Now, lets Imagine you used another server, and for sake of the argument, you were in a Cloud environment where you can easily spin up another VM. If the server cost you $500/Mo to operate (there are cheaper options, depending on scale needed), you'd be looking at 6K/yr, or less than 1/2 the cost of the loss of services you expect over the course of the year. Even if setting the server up cost $5K in staff costs, you're still ahead AND you got *something* out of it.
Am I saying that as long as the cost to implement protection is $1 less than the loss, then it's worth it? No, this isn't the Price is Right. But you should be looking at Cybersecurity as more as an investment to protect your business rather than an outright cost.
You also may be wondering "James, what does redundancy have to do with cybersecurity?". Well, a Production outage caused by a malicious actor, or a poor design choice, has the same net effect to a business. The threat actors had to do nothing and wait for your decisions to impact you, rather than going after you.
#3 - Categorizing what's important
Even the largest security departments would be lost without knowing what they needed to protect. Unfortunately, due to the way businesses naturally evolve, so to does the complexity of keeping important information centralized and categorized where it makes it easier to protect it. This can leave smaller departments feel daunted with trying to figure out where they need to focus their protection with the limited number of staff.
"You need to protect our most important assets, somewhere down there." --Mgmt. Direction to IT Dept.
What can we do?
Start.
There's many books, tools and tricks you can use to try and prepare yourself, but sooner or later you need to get in there and start identifying what's important. Start with the business unit leaders, and record where they keep information vital to their job functions.
You should categorize your findings into broad categories like so:
- Confidential (Highly Sensitive)
Most sensitive business data (e.g., trade secrets, R&D, legal data, HR files, Customer PII). Unauthorized access could cause severe financial or reputational damage. - Private (Internal Use Only)
Sensitive internal data (e.g., financial records, business strategies). Unauthorized access could moderately impact operations. - Sensitive
Data that requires some protection (e.g., customer contact info, internal memos). Unauthorized access could cause minor harm. - Public
Data that can be freely shared without risk (e.g., marketing materials, press releases).
Finance Departments, the Executive Branch, and Development Teams are good places to start, and having these categories laid out in advance will help you sort the information as its identified, and allow you to move it to the appropriate spots where you can enforce IAM practices.
#4 - Technology Stacks
Ok, you've got management on board, enough budget for a couple of Tim Horton's gift cards and a Rough idea of what you need to protect. You're ready for cybersecurity! Now you need the tools of the trade to make real progress.
The problem is many mainstream tools are VERY costly, and that's just if you want to talk to a sales rep to find out how much you can't afford their products. There's also a sharp learning curve if you've never used some of these stacks that can make it difficult for the average IT person to adopt. For those who have never tried it before, the task of implementing these tools is as daunting as a large wall you've never tried climbing before.
What can we do?
Start cheap, and grow as needed.
You should have a ticketing system (no, not notepad or an excel file that only you can see) that you can start recording what you're working on, what you've found, and what needs to be improved. These days there are plenty of good tools that are literally FREE that you could use to get started, even if you're a team of less than 5 people (JIRA From Atlassian is free for up to 10 users, and includes a full-stack service desk SaaS Solution).
You also should have somewhere to record documentation, including business policies, standard operating procedures, and any custom information that should be recorded and shared (Atlassian saves the day again with Confluence, and it can integrate with JIRA, what's your excuse now?).
Do you have more than 1 Server? How about networking switches, websites and internal endpoints? I'll bet not only do you have way more than that, but you can't tell me which switchport is using way more bandwidth than it normally does in an average week. Monitoring software can get real complex real fast, but it's also the most effective way to understand whats going on in your environment, especially on smaller teams.
PRTG Offers a free-up-to-100 nodes license, and can be installed on a windows desktop or server in under 10 minutes. It's also one of the more intuitive monitoring UI's to get started on. There are also many Open-Source/Free editions of tools that you can try, but you should be using *SOMETHING*.
Logging tools are vital for collecting and centralizing information before you attempt to disseminate it to understand what's really going on in your environment. An ELK Stack is a decent place to start if nothing is commercially available, but this is going to take a massive amount of effort to implement.
There are many more applications that could help you, Risk Management Applications, SIEM's, Log aggregators and Automation platforms just to name a few. I might go over some of these in a later blog post, but for this article I wanted to start from basics, as I've seen many environment where the above tools were completely absent, which is just wrong to me.
#5 - Evolve
Even larger enterprises can struggle with this, as many organizations with an existing cybersecurity program get stuck in a rut, because no one looked at the policies in the past 5 years. Once something works, people assume it tends to keep working, and thus stop paying attention to it. Unfortunately, that's when the attack is likely going to hit you, when you think you've done enough to prepare.
Attackers continuously evolve their efforts, and security departments need to do the same. AI and the increase in data accessibility has only accelerated attackers, and many established departments are falling behind due to legacy policies, or no policies at all. A brief look at the threat landscape show most internal IT Teams are horrifically outgunned in this fight.
What can I do?
Continuous Improvement
Just like looking at someone who's been at the gym for 10 years longer than you, what's possible for others might not be possible for you. What you should be focusing on is ensuring you are regularly discussing YOUR threat landscape with your business leaders/owners, and ensuring cybersecurity continues to be a topic on everyone's mind.
Do you have a monthly meeting with your team to talk about cybersecurity? No? Send an calendar invite for 30 minutes. Does your leadership discuss technical risks at the leadership meetings? Make sure it's on the agenda. Does your team have a daily task list of checks on systems? Make one, and keep adding to it. The more you improve your smaller processes, the bigger the impact will be on your effectiveness in the organization.
That's my list! If you want to talk more about any of these topics with me directly, hitup my social media links below. Thanks for reading, and good luck out there!