I have been asked many times by company bosses whether there is such a thing as a 100% cyber-secure environment.
The simple answer is NO.
There is no such thing as a 100% secure environment, especially when you are connected to the Internet.
To have near 100% protection, you would need a team of security specialists with a wide range of disciplines, from network, systems to applications. The cost of hiring and maintaining them in itself will be a financial deterrent for most small-medium sized companies.
Hence, cybersecurity for SMEs is at best on a best effort basis.
An IT network is like a human body
A company IT environment is like the human body. It composes of many parts.
Like each human organ with its own ailments, each component in the IT network has its vulnerabilities.
While we try our utmost to stay in the pink of health by working out and eating right, our body will nonetheless be susceptible to some ailments. A case in point is the recent COVID19 virus outbreak. The outbreak affected everyone, both the healthy and the unhealthy.
This analogy applies to a company’s IT environment. While all can be done to prevent it from an attack, if there is a new virus or there is a deliberate focus attack on the network, the network will be compromised. There have been many cases of such breaches even in an organization with sophisticated cyber security defense.
Vulnerabilities exist all over the entire IT landscape, from network infrastructure, systems, to applications. Even the people working on it is a vulnerability.
Let’s begin with perimeter defenses like firewalls, ports could be accidentally be left open, allowing savvy hackers to use it to enter the network.
All computing devices and servers needs an operating system. These operating systems themselves are notoriously buggy. You can tell by the number of updates you need to do per year.
A savvy hacker could easily launch an attack at the core of these operating systems, and no one would know anything about it including the software vendors themselves.
This is true for all other applications too.
This issue exists because software development companies were traditionally more focused on application functionality and usability. They were also pressed to launch their products quickly. Application security was not part of their initial design priorities. Hence security gaps abound.
To make matters worse, companies across the board are adopting more technology than ever. Hence there will be more and more vulnerabilities for cybercriminals to exploit.
When IoT becomes pervasive connecting everything, the malaise of cyber breaches and its impact will increase exponentially. It will then be a cybersecurity nightmare.
Lack of priority
In most small-medium size setup, the need to have a baseline cybersecurity defense is not a priority with management, unlike sales, profitability, and operational matters.
They are typically more concerned about sales, profitability, and operational matters, rather than security matters.
However, this attitude needs to change as the likelihood of a breach increases every day as cybercriminals become more sophisticated.
The situation is more pressing with privacy laws put in place.
In most privacy laws, directors of companies are held responsible for any breaches involving personal data. This is regardless of whether they were directly involved or not.
Implementing a baseline cybersecurity solution and having an education program for employees is more critical than before.
Not many companies are aware of the cost of implementing a cybersecurity solution is a fraction of the cost of any ransom payment or fines. Bosses should consider looking into how to improve their company’s cyber posture.