Protecting your digital assets is very much like looking at the whole board. A proper defense is not just one thing, but comprises a systematic construct of what you know (past events, known best practices, proven strategies), what measures you plan on putting in place, and the anticipation of what your adversaries might try to do.  This would be augmented by an endless cascade of if/then planning and dry runs to prepare for an attack.

A security program should not be static but a living, breathing thing that is ever-changing based upon the observations you make and information you gather. It is a series of defenses and actions premised on what your opponent is doing to others, and perhaps will do to you. For this reason, technology alone won’t guarantee success. While best practices around firewalls, protection systems, network configurations, passwords and processes is essential, people—as in ALL the people in your company—need to play a vital role. This cannot be understated. While it’s true that people often cause cybersecurity risks and outright breaches through negligence or idle curiosity or ignorance, they can also be educated to help identify and stop bad behavior. That said, an annual security “training” program alone won’t do this. A continuous communication campaign that engages the employees and gives them a forum where they can ask questions and learn how to better protect their personal digital world will pay a nice security dividend. If you can show them how their efforts as an integrated part of your security team have paid off, you will have built a security function that isn’t static but considers the changing world. By using your company’s staff as part of your security program, you are now looking at the whole board!

– See more at: http://www.transaccelgroup.com/blog/2015/05/07/what-would-bobby-fischer-do-taking-a-cybersecurity-lesson-from-a-chess-master/#sthash.1u1vHupb.dpuf

Why is Cyber/Computer Security so far down on your to-do list? If your reasons are any of the following, you might want to reconsider your priorities.

• Because you live under a mushroom or live off the grid.
• Because your environment is in such disarray that if someone did breach it, the chances of him or her finding anything of value would be remote.
• Because you believe that you are only a little fish in a big pond and hackers have much bigger companies to go after.
• Because no one has requested it and you have more than enough other problems to handle right now.
• Because you don’t know where to start.

Let’s address each of these points in turn.

They can’t find you.  On a recent episode of 60 Minutes, Dave DeWalt, CEO of cyber security company FireEye, asserted that 97% of all companies are being breached. Ninety-Seven percent. So, unless you truly live off the grid, you have likely had a breach already. The real question is how bad is the damage?

They can’t find your valuables.  These criminals are very sophisticated and have the knowledge, tools and patience to find your sensitive data and exploit it.  Hacking has evolved from the lone geek making mischief to an actual profession and, as Lance Cottrell, Chief Scientist at Ntrepid and expert on security and privacy writes, “In most breaches, it turns out the hacker has been inside the network for months.”

Your valuables aren’t worth it.  Wrong again. They aren’t always interested in your data; often they are interested in your financial partner, investor, supplier and customer. Anything sensitive they can sell or make profit from.

You have other priorities.  You will always have other priorities. But believe me, if the hackers come—and they will—you will have to deal with the fallout and that will become your new priority.  With several methodologies at hackers’ disposal such as viruses, malware, botnets and ransomware, cleaning up the damage will be more involved than you think.

You don’t know where to start. Improving your security begins with having a prioritized list of actions based on risks to your company.  A risk assessment will accomplish that and, at the same time, help you raise awareness and understanding with your executives of possible threats and the cost of inaction. It will also demonstrate confidence that you and your team are pro-actively dealing with the today’s cyber security reality: it’s not a question of if, but when.

What is your reason for not having an information security and risk assessment performed ASAP?

If the real reason is you don’t know how, that is where we can help.