I was recently asked to write an article for a journal, that has a circulation through Australian educational institutions. The topic they wanted me to write on was cyber security. Simple.....well yes and no.
The real challenge soon became limiting the scope of the article and trying to figure out exactly what level of understanding and knowledge the audience was likely to have. I also wanted to write something that hopefully added some value to the potential readership. I particularly wanted to give the audience, some hints on how to get started and what sort of process to follow.
Coincidentally, I had another client send me an email asking me to provide some words for them to have in reserve in case they had to respond to media questions relating to their public facing system. They had particular concerns around "drop box" hacking and if this could happen to them.
The short answer is yes it can happen to you. Sites get hacked all the time for a multitude of reasons. This is not a particularly reassuring statement to make to people that understand they need technology to operate their businesses but are not technology professionals per say. People like and expect assurance in this day and age. Often this is hard to give.
On thinking upon it, the best answer I could give to my client was really the content of the article I wrote. Which was fundamentally understanding the level of risk that the organisation carried based on classifying data they hold, quality of security currently in place, what could be gained for a potential hacker etc. From this point creating a risk profile that could then be managed using a variety of different methods from technology, users, stakeholders etc. I also went as far as to suggest that organisations should have media statements prepared in case the worst occured. This may sound pessimistic but is really nothing more that solid business continuty planning and crisis management.
I also tried to articulate that the level of security required should be balanaced from the risk profile to the level of available budget and resource available to manage the level of risk. The fundamental issue I think is that all organisations have a level of risk they are comfortable accepting with not only cyber security but all other aspects of business. It's up to the business to deteremine their risk profile by thoroughly understanding what data, systems, users etc they have. It's only from this point, that a clear decision can be made as to whether or not the preventative cyber-security measures are appropriate.
I also think it is important to understand that many cyber-security measure have little to do with technology and everything to do with users. Users habits and processes are the fundamental weakness in the best laid processes and plans. This means that education of the users and the work practices they employ is fundamental in maintaining an environment that is a secure as possible. Essentially cyber-security is only as good as the weakest link and that may well be a person not a computer.