Anyone in business today understands how critical information technology and information systems are to operations. From large multinational corporations to the small corner store – every business relies on computers, the Internet, and technology. In essence, IT has become the nervous system of modern business. They simply cannot function without it.
Of the many risks that IT managers/departments face the one that keeps many of them awake at night is cybersecurity. The challenge associated with cybersecurity is very dynamic. Threats like natural disasters or extended power outages do not really change over time, so once continuity and recovery plans for them are in place there is not much more to do. Bad actors looking to breach your systems, however, are constantly changing and adapting.
What can large and small businesses do to keep their systems secure? Even the biggest and most sophisticated tech companies fall victim to system intrusions and data breaches. How can small to medium-sized businesses achieve an acceptable level of cybersecurity without breaking the bank?
This was the topic at a recent Southern Illinois Leadership Council meeting. At the session, Charles Forsythe, Director of IT Services for SuprTEK’s Solution Engineering and Delivery Unit in O’Fallon, IL, presented “How to Untangle Cybersecurity without Blowing Your Budget.”
Cyber Attacks Pose a Series Business Threat
In addition to providing some background on the evolution of the business technology and threats it has faced, Charles provided some examples of companies who had to deal with cybersecurity fiascos. In one instance a company’s management team had to go to their prospective personal ATMs to make maximum withdrawals on a Sunday in order to buy Bitcoin to pay a ransomware attacker in time for an early Monday deadline. In another case, a large insurance company couldn’t seem to win lawsuits against a particular law firm who always seemed to be a step ahead of them – until they tightened IT security.
Are you 100% certain your IT systems are completely free of unwanted spyware, viruses, or intruders? What steps should you be taking to prevent cyber attacks?
Taking Steps to Protect IT Systems
In his presentation, Charles recommended organizations understand their cybersecurity needs and risks before taking definitive action. As he explained, visiting car dealers before you even know if you want or need a new car is a bad idea. So is implementing or buying solutions without fully understanding the particular risks your organization faces. A three-step approach is recommended:
- Business Impact Analysis: Understand the effect cybersecurity threats have to your business operations and viability. What damage would occur and what would it take to recover? What do you have of value to hackers (data, the ability to operate)? In other words, avoid spending $100,000 to prevent a threat that would only cost $10,000 to repair/recover, or working to prevent something as unlikely as aliens landing on your lawn.
- Business Continuity Planning: Once you understand the impact various threats have on your organization, create plans to ensure appropriate prevention measures are in place, and that the business can continue to operate if the unexpected or unwanted happens.
- Disaster Recovery: The actual methods and resources (e.g. knowledge, procedures, data backups, secondary infrastructure) are known and available in order to recover from any threat; fire, natural disaster, cyber attack.
Charles explained that the key for business leaders to understand their security challenges, was to stay away from the technology and focus on the CIA (no, not that CIA). Business security efforts need to focus on ensuring one of more of these fundamental attributes:
- Confidentiality: Keep data and information away from those who should not have it.
- Integrity: Keep intruders out of your systems, and keep your IT operations and data in tact.
- Availability: Ensure IT systems are accessible as needed for business operations.
As is often the case, applying common sense along with an applied knowledge of your business is the key to cybersecurity. Combine an understanding of vulnerabilities and what is important to your business. Cost and complexity do not always add up to effectiveness. Sometimes a solution may be as simple as cyber awareness training for your staff.
Don Reed is a Senior Technical Writer and Project Support Specialist with the ADEV program. His background includes engineering and programing, project management, quality management and process improvement, and business-technical communication. Don has a B.S. in Electrical Engineering and a M.A. in Communication from Saint Louis University.