Cyber Security for the Overworked, the Uninterested and the Innocent Spectator
Emma Osborn - 7 May 2018
I started my business a few months ago. I’m a cyber security specialist, I’ve spent time in industry and in academia. The last 4 years I’ve been researching how small organisations approach cyber security. I’ve read all of the advice, I’ve heard all of the complaints, documented all of the excuses. I decided to go into business partly because I wanted to provide better knowledge to an under-served marketplace, partly because my credibility as a researcher in this field is greater for taking this risk.
What have I learned in the first few months?
Wow, you really weren’t kidding…
I already knew from my research that the pressure to do good security was just one of many. I knew that the enormous pressure from bigger customers to comply was overshadowed by a lack of co-operation from suppliers. That the advice offered didn’t fit the business reality.
We may ‘only’ be talking about passwords, updates and config… but security really is as hard in any context. The 5 realities even a cyber security expert experiences?
1. GDPR processes become disproportionate.
Right now GDPR trumps all. There’s potential for enormous fines, nobody knows how the precedents will be set and the cyber security requirements are, unfortunately, fuzzy. Most peoples’ fear is that the only ‘reasonable’ security is not having a breach… despite breaches also being considered inevitable.
It means that I currently have no office, no employees, one website, one smartphone, one cloud backup, one shoebox of assorted invoices and receipts… and in comparison what feels like a whole tree’s worth of GDPR policies, procedures and training.
At this point, probably alongside quite a few other businesses, I’m actively seeking ways to not collect personal data. Ironically, this will mean that I’ll be delegating to those social networks whose privacy practices we so often find reason to question.
2. Fearful sales.
I’m surprised about the number of cyber security experts I meet who emphasise the need to ‘scare the pants off of’ customers to get them in the door. The research literally says the opposite: if someone is frightened enough of cyber security they’re like a rabbit in the headlights. The problem seems insurmountable, so they work on something else. A problem that they know they can solve.
Security takes time to develop as a culture within an organisation. Anybody attempting to undermine my confidence, so that they can sell me a technical panacea to my problems, is waving a great big red flag. Pragmatism and a gradual reduction of risk is more my cup of tea.
3. Time is money and due diligence costs time.
Like any new business owner, having acquired my first customer, one of the first things I needed was IT. What did my due diligence process look like?
Me: “Before we go any further, could you tell me what cyber security standards you have in place to protect my data? As you’re a [big brand] reseller, do they audit your security?”
Provider, after a 10 day delay: “we have ISO 27001 and a bunch of pharma customers, so I’m sure we’ll be secure enough for someone who only wants a 1 seat subscription.”
Me: “Could you set me up the admin account separately to the account that you attach my subscription to please?” (Not using an admin account for everyday tasks is cyber security best practice after all.)
Provider: “Yes, of course...”
Not only did they configure me one account with full admin rights, they only gave me the URL to access the product via the admin portal. I was left to google how to access the thing I was paying for, before I could use the account that I had to create for myself.
Provider: “We’ve set up everything you asked for, but it’s only half set up, because although we asked you what you were looking for in a way that looked like it was all included in the price, we want you to pay us for our consultancy.”
This was where point 5 and the cupcakes come in… there was no way I was giving these people more money.
Despite the difficulties, it was still worth asking about cyber security for my own piece of mind and because good config is so important. But it’s worth knowing that our *ahem* service providers might think that even answering questions about the quality of their service is outside of their remit.
4. The experts we employ…
It’s perfectly acceptable for a very small business to employ an accountant. Nobody would have told me that I could buy a couple of cheap pieces of software and totally replace that knowledge. Not many would blink if I employed a solicitor, but with the growth of cloud services the level of IT support we seek is dwindling.
I can do my own bookkeeping, I can read a balance sheet. I still employ an expert… he does the important number crunching, tells me what columns are missing in my spreadsheet, and most importantly provides the answer when I’m in doubt.
Frankly, we’re not far off of needing the same level of support for cyber security, but the important thing is that he’s gently training me. For a price, he’d take a shoebox of screwed-up receipts and make sense of it for me. Instead, he’s telling me what’s missing and how to make the job quicker.
5. In the end, even I resorted to cupcake bribery.
Sometimes what we need, more than anything, is to be able to share a problem. No cyber security problem I’ve been faced with was something the average entrepreneur couldn’t do with a little bit of training… but when faced with yet another niggling little problem or vague requirement, it’s nice to be able to call in some backup. And then share a tea break.