Does this sound familiar?

If so, take solace in knowing that you are not alone, but things have to change. For many companies, growth has outpaced their policies and processes, which can be a risky situation, especially in cyber security.

In information security, due care means “acting responsibly and doing the right things.” While information security is a very complex field, there are certain basic building blocks that must be in place for every company.

Ask yourself:

Do you know your company’s most important assets, where they are located, and how they are protected?
Do your employees understand their role in information security?
Do you understand the major vulnerabilities within your company?
Do you know the major threats and threat agents to your company / industry?
Do you know how your company would respond in the event of a cyber attack?
When the topic of cyber security comes up, most people think about firewalls, intrusion protection/detection systems, and other technical solutions. While these are inevitably part of the solution space, if you are hesitant or unsure of the answers to any of the questions listed above, you could be negligent in providing “due care” for your company.

You probably understand the things that need to be done to make your company secure from an information perspective. Nevertheless, not taking action—even by doing something as small as raising the issue with your leadership—can be construed as not “acting responsibly.” Knowing what to do and actually doing it are two completely different things. There will always be the “hot,” critical project that needs attention, but ignoring what you know to be absolutely necessary is comparable to a “dereliction of duty.” Taking key resources away from information security operational activities to do project work is shortsighted and negligent, and puts you at risk as a company.

Don’t wait any longer. Now is the time to act and provide your company the level of due care that is necessary and expected.

According to Cenzic ‘s Application Vulnerability Trends Report: 2014, “While the majority of corporations have the important security building blocks, such as firewalls and intrusion protection systems needed for their security infrastructure, not enough organizations have comprehensive tools and practices in place for securing applications.” Faced with a worldwide shortage of Cyber Security professionals (Cyber Security has only recently become a discipline one may major in!), and companies unable to afford the overhead necessary for the requisite training, this situation is not surprising. Bad news for you. Good news for hackers.

Still think you can go it alone? Do you really understand the sheer magnitude of possible vulnerabilities? Here’s a sobering thought: Everything on the network is hackable. Everything—from your corporate computers to a 3rd party vendor to your employees’ Smartphones. Add to this the risky behaviors employees can engage in—sharing passwords, inappropriate web browsing, copying sensitive data onto mobile devices—and you’ve got exposure. Lots of it.

An objective Cyber Security assessment can assist with evaluation and establishment of controls to:

• Implement an information risk management program
• Ensure network security is adequate, including boundary and internal
• Guide user education and awareness
• Verify malware protection and prevention
• Deal with secure configuration and patch management for devices (network, servers, PCs)
• Manage user access and privileges
• Handle incident management
• Assist with home and mobile working

If you feel you aren’t ready to tackle all the items above, you should at least undertake a basic evaluation to consider only the most foundational building blocks for cyber security.

In a survey of its 3,400 global members, Information Systems Audit and Control Association (ISACA) found that although 83% of the respondents recognized Cyber Attacks as among their “top three threats,” only 38% felt prepared to endure one. Make sure you are part of that 38%. If you do nothing else, purchase cyber insurance. If you are ready to take additional steps, we can help.

P.S. On our C4C blog we recently wrote about the fallacy of thinking you are too small to garner a hacker’s attention. I can’t stress the following enough: While big companies more often make the news by getting breached for millions of records, they also have the financial resources to dig out of that hole. Small companies aren’t as lucky. A data breach at a small company can mean closing the doors, for good. Don’t let that happen.

Why is Cyber/Computer Security so far down on your to-do list? If your reasons are any of the following, you might want to reconsider your priorities.

• Because you live under a mushroom or live off the grid.
• Because your environment is in such disarray that if someone did breach it, the chances of him or her finding anything of value would be remote.
• Because you believe that you are only a little fish in a big pond and hackers have much bigger companies to go after.
• Because no one has requested it and you have more than enough other problems to handle right now.
• Because you don’t know where to start.

Let’s address each of these points in turn.

They can’t find you.  On a recent episode of 60 Minutes, Dave DeWalt, CEO of cyber security company FireEye, asserted that 97% of all companies are being breached. Ninety-Seven percent. So, unless you truly live off the grid, you have likely had a breach already. The real question is how bad is the damage?

They can’t find your valuables.  These criminals are very sophisticated and have the knowledge, tools and patience to find your sensitive data and exploit it.  Hacking has evolved from the lone geek making mischief to an actual profession and, as Lance Cottrell, Chief Scientist at Ntrepid and expert on security and privacy writes, “In most breaches, it turns out the hacker has been inside the network for months.”

Your valuables aren’t worth it.  Wrong again. They aren’t always interested in your data; often they are interested in your financial partner, investor, supplier and customer. Anything sensitive they can sell or make profit from.

You have other priorities.  You will always have other priorities. But believe me, if the hackers come—and they will—you will have to deal with the fallout and that will become your new priority.  With several methodologies at hackers’ disposal such as viruses, malware, botnets and ransomware, cleaning up the damage will be more involved than you think.

You don’t know where to start. Improving your security begins with having a prioritized list of actions based on risks to your company.  A risk assessment will accomplish that and, at the same time, help you raise awareness and understanding with your executives of possible threats and the cost of inaction. It will also demonstrate confidence that you and your team are pro-actively dealing with the today’s cyber security reality: it’s not a question of if, but when.

What is your reason for not having an information security and risk assessment performed ASAP?

If the real reason is you don’t know how, that is where we can help.