Let’s start with an analogy.
You take home security pretty seriously. You have deadbolts on every door, and a security bar for your slider. You have an alarm system with motion sensors, which you arm when you leave and before you go to sleep. You have cameras keeping watch from all angles, at all times.
With all these protective measures in place, is your home 100% “safe”?
No, it isn’t. Your risk of a successful intrusion is lower, yes. You are safer. But if someone really wants to get into your house, they will.
And then what?
Do you know how you would respond to a break-in? If your alarm system goes off, what do you do while you wait for help? If it doesn't, would you be able to make the call? In the aftermath, would your homeowner’s insurance cover any theft? To what amount? Do you have record of your valuables to produce as needed? Who else would you need to notify?
In other words, if all you’ve been focusing on is keeping the bad guys out, will you be able to react, remediate, and recover when they make their way in?
Why “Are we safe?” is the wrong question
When it comes to cybersecurity, none of us are “safe,” and we will never be “safe.”
Big-name companies are being breached left and right (Target, Sony, OneLogin, Equifax, Deloitte, Whole Foods…), despite having very, very deep pockets to fund their security initiatives; if there were a way to make your business bullet-proof, wouldn’t one of these companies have figured it out?
And as Equifax has made embarrassingly clear, a sloppy response to these breaches make the situation exponentially worse. “Safe” is both unattainable and short-sighted.
What you need to be asking instead
We need to think bigger than “safe.”
Our businesses need to assume and accept the eventuality of a breach, and to make sure we can weather the aftermath. Instead of “Are we safe,” we should ask, “Are we prepared?”
Preparation has lots of layers, including:
- Preventative measures like anti-virus, updated firewalls, and trained spam filters.
- Ongoing risk assessments to identify and remediate vulnerabilities.
- Ongoing security awareness training for your staff.
- A robust backup and disaster recovery solution that is tested regularly.
- Written, enforced policies to address passwords, employee separation, data privacy, mobile device use, etc.
- A written incident response plan.
- Cyber liability insurance (as appropriate).
Security isn’t an end-game activity; it is a multi-faceted, ever-evolving initiative that we must nurture over time.
So no, your company isn’t safe. It can’t be. But with the right approach, you can be prepared.