We know IT security is important so why aren’t we doing anything about it?

Ask any company what they are most worried about in their business and information security is usually in the top 3. It should be because, as I shared last month, the threat landscape has become worse. Here’s the problem: most businesses aren’t really doing anything about it. If you talk to IT providers, the hype isn’t spurring the actions that most expect to see when threat levels rise.

Why many companies report that financial constraints are their main reason behind acting on new cyber-security measures, our look inside the IT service industry shows us something different. The real reason for the inaction is education.

Business leaders act quickly to protect against threats when they understand the threat and the protection. No wise business spends money on something where they can’t see the value? Most of the current hype about cyber attacks paints the situation as dire and the solutions as hopeless.

Gossip about who has been hacked and whose information has been compromised creates attractive headlines, but it’s not sharing the whole story. Businesses can take common sense actions in security by educating themselves on a few simple things.

What does a non-technical business leader need to know about security?

1. Understand what has changed
The biggest shift we’ve seen is that people are now a bigger security risk than your systems. There isn’t a way to change behavior just by installing software. Embrace that you need to build a culture of transparency where every employee understands their role in defending against the enemy.

2. Know the motivations of the enemy
The cybercrime industry is extremely profitable. From selling information on the black market to holding your data ransom, the motivations are simple. The criminals want cash. When we hear that Sony has been hacked and think “at least we’re not a big target” or we tell ourselves “we don’t have any information worth taking” we’re buying into a myth that criminals target only high profile organizations. Everyone’s data can now be monetized.

3. Learn the math of your risk vs. cost
Every company is unique and has different needs. Defense isn’t a yes or no decision. It should be based on math. Many business decisions come down to risk vs. cost. A 99.9% protection strategy may cost 5x more than a 99.5% protection strategy. Business leaders need to decide what risk is worth. Next month we’ll dig it into the math on some of the most common protections.

In recent years it’s been perfectly acceptable to leave IT security education to the IT professionals. Today business leaders should start taking control of their IT security situation. Feel free to call Greystone with any questions or for further education.