Now that I have your full attention – hopefully - let's consider and discuss what I consider to be five key things you need to know about cybersecurity for yourself, your company and your projects...
It's ok to start small. You don't have to plan out a major cybersecurity response team or infrastructure. Especially if you aren't currently experiencing a major cyber breach major event. What you do need to do is start somewhere and sometime and that time is right now. Whatever someone can do to hack you and your precious employee data or project data or project customer information has already been figured out but you haven't been targeted... yet. Either you aren't on a hacker's radar, or your data isn't important enough yet or whatever. Rest assured that at some point in the not too distant future you will be on their radar
Not if but when. Cybersecurity is not really about “if” you'll need to react, it's more about “when” you'll need to react. Nearly everyone and everything will experience some sort of theft, breach, infection, or infliction of cybercrime or cyberattack in the next decade... and probably sooner. 25% of my own clients – some of which are fairly small – have been affected by a cybersecurity issue in the past two years. The key is to be ready. Hopefully to mitigate, but since that may be futile, at least be ready to respond and fix and close holes and cleanup quickly. You don't need an army of experts to do this – hopefully – but it is best to have one or a few prepared in house to respond and maybe an external expert you've already connected with who could assist depending on the extreme need and available budget.
Read the books - info is abundant. There are books available all the time on cybersecurity. If you are looking to grow an internal staff starting with one or two, then social media and these books are a great way to start. Detailed, expert certification isn't necessary to begin with, just some knowledge, dedicated interest and materials – like books, videos, webinars, seminars, the annual Black Hat conference here in Las Vegas and other locations. All of these will help build awareness and knowledge in your cybersecurity startup staff. Great books, articles and other materials are readily available to help get your response team off the ground and ready – use them.
Start with a consultant. You may not need an expert consultant, but it would be a very good idea to connect with one in case you do. And maybe the expert consultant is the way to go if you're not able to hire or train any staff but would rather pay “through the nose” if and when the need to react to a cybersecurity incident happens. It's not cheap to get an air conditioner repair person on a Sunday in Las Vegas in July when it's 115˚ or a plumber at midnight, and it's not going to be cheap to get an external cybersecurity expert consultant after a breach has occurred. But that may be all you need and whether or not you ever call in an external expert consultant, it's a good idea to have the connection already in place.
It's not always about money. A breach will cost you. You will have to close up the loop somehow and work to ensure that it doesn't happen again. If it happened once it can happen many times. And maybe this time it wasn't about data or revenge or getting sensitive client info or financial info or ransomware. It isn't always about money that someone wants from you or data that they can sell to others. Sometimes you are a random target or it's just about the sport of getting into something you're not supposed to get into. But you must take measures because next time it may be about sensitive data or holding information for ransom. This may have been a test run for something much bigger later. So, the breach – if you experienced one – will cost you so patch it fast and figure out how to not let it happen again... to the best of your ability.
Summary / call for input
I wish I could tell you everything will be alright. True that most people are good, and you really only hear about the bad ones in the news. And there are many good hackers out there – trying to help organizations better prepare by exposing weaknesses and issues – and they are paid handsomely for it. But there are those hackers who are looking to thrive financially or just have fun at your expense. Eventually you are likely to be affected to some degree by one of these and taking some initiative now to be at least ready to respond is your best course of action.
Readers – what are your thoughts? Has your organization – or even your personal self – been affected? How has your organization prepared or responded to concerns of even breaches? Do they see they need to be proactive or just waiting to react as most organizations seem to be doing. Please share and discuss.