Cyber security professionals traditionally use a risk-based approach to prioritise incremental security enhancements to existing business systems, on the basis that the business systems within large enterprises are typically too numerous, complex and expensive to be replaced wholesale.
All software and hardware systems contain bugs, which result in security vulnerabilities that can be exploited by attackers, and attackers also attack the supply chains that design, build, distribute and deploy those systems, creating potential vulnerabilities in trusted systems and components.
Cyber security assurance for each system component is complex, time consuming and expensive, and the challenge increases exponentially as the number of components and the interaction between components increases.
This is why cyber security can be so expensive relative to the number of people in the business, and why government advice to tends to focus on a few basic security measures, such passwords, backups, anti-virus, firewalls, security updates, and user vigilance. See NCSC Small Business Guide.
These security measures undoubtedly make the business more difficult, time consuming and expensive to attack, but they can still be time consuming and expensive to implement, because they depend so heavily on creating cultural changes within the business without highlighting the urgency.
The reality is that even when perfectly implemented these security measures do not go far enough to protect the business from the most serious and determined attackers, even though they will significantly reduce the number of minor opportunistic attacks.
Many businesses can replace insecure business systems with ones that are Secure by Default, with significant benefits in terms of cost and security, so the emphasis of the risk-based approach becomes selection and configuration of relevant systems and user acceptance of the new solution.
It may seem counter-intuitive at first, but implementing a secure business management system may be cheaper and deliver substantially greater business process improvement, particularly when the whole team is involved in specifying, configuring and adapting the system to the business needs.
Item added to cart