Cyber security is a problem that small and medium businesses and not-for-profit organisations consider of little consequence. The prevailing attitude of "it won’t happen to me" always comes to the fore when cyber security comes up in discussion. I am not going to get on my high horse about that—not this time, anyway.
Dabbling in cyber security is another common response. By dabbling I mean not understanding the ramifications of that little change on the firewall, or having only one level of data backup or using Google to make changes to your systems without testing them before deploying it to the production network.
Dabbling in cyber security is like learning to fly: You can take lessons, and in a few months, you can fly a small plane—similar to driving a car, except it goes up and down. With additional training you can get your all-weather license and away you go. The learning curve isn't too steep because the internal workings of a small plane and what's in the cockpit are relatively minimal. There are not many dials, switches, buttons or levers to pull and push to make the thing fly.
Now let’s take you out of that little plane and put you in the cockpit of a jumbo jet. The number of dials, switches, levers and the like have increased 100-fold. We are no longer talking small-scale. Despite your training, you'd be ludicrously unprepared.
This is what happens when an under-informed person tries to take charge of cyber security. Protecting your business from a cyber-attack through a directed hack, script kiddies or an insider does not involve just a few levers and switches. It is a combination of technical know-how, regulatory compliance, business and cyber resilience, and both internal and external management expertise. All these components have to work together to create a protective envelope around your business.
The whole cyber security protection process is similar to flying a jumbo jet. You don't want to discover how much you don't know when you're 10,000 meters in the air.
I have a friend who is a financial adviser. His clients come to him to invest, so that when they retire, their nest egg will be substantial. He will often give a presentation to a new client, only to be told, "I want to discuss it with my friend”—or brother, father, mother, son or daughter. These third parties have no understanding of the financial world, but the client will invest more weight in their advice than the advice of a professional.
I know we all do it. We all have friends whom we bounce ideas and questions off. You discuss health issues even though they're not doctors, you discuss building options even though they're not builders, and you discuss bathroom problems even though they're not plumbers. The difference is that most of us know the doctors, builders and plumbers are the professionals, and we don't really expect untrained amateurs to know their jobs.
But when it comes to computers, the average Googler has a false sense of mastery. Everyday people have little understanding of how complex the Internet, computers (desktop, laptop, phone or tablet) and the storage of electronic data can be. The difference between knowing computers and being an expert is huge.
An expert can assess the situation, rectify it and walk away long before someone who "knows computers" has worked out that they have a problem. You will PAY for that expertise, but I would rather pay for one hour of a professional's time than nine hours from an amateur, especially when it comes to my business.
When it comes to protecting your business from cyber crime, get someone in who actually understands the problems. Don’t just dabble!