What level of security do you need?

In amongst all the accusations and counter-accusations (see, for instance, this summary in Cybersecurity: Experts Wonder If New Obama Order Goes Far Enough in the International Business Times) about who is cyber attacking who, and who isn’t, two thoughts emerge: the first is that more and more organisations around the world are suffering the consequences of cyber attacks, and the second is that not all are!

Business continuity professionals face this conundrum every day: managements telling them that while other organisations have clearly suffered severe disruptions from some form of external event,¬†their organisations¬†haven’t (yet).¬† These choice, in more banal terms, could be described as: some houses have been broken into in this neighbourhood, but some haven’t – should we take precautions against that possibility or not?

A key part of a sensible answer to this questions would depend on your assessment of the likelihood of a breakin, starting perhaps with an assessment of how many house robbers there are in the vicinity. If you think that you live in a hot area for house theft, you’d probably decide on some precautions – probably not at the same level as required by the neighbourhood bank, but certainly enough to secure your house and assets.

The same approach is necessary for digital assets. The Internet is a hot area for the theft of digital assets, so basic precautions make sense for everyone. If you’re an organisation, ‘basic precautions’ means:

  1. Vulnerability scanning & penetration testing;
  2. Encryption of mobile devices;
  3. Staff training and awareness; and
  4. Email encryption.