Do you know what you don't know? It's not a tongue twister but an important question that all organisations must ask themselves when thinking about the risk that cyber crime presents to their business.
The European Commission has announced that tough penalties will be levied on businesses that do not abide by security policies. From March under the E-Privacy Directive telecoms companies must publicise data breaches - resulting in widespread concerns about the damaging effects that breach notification could have on business and brand.
Most organisations aren't aware that their businesses face security risks, often because they haven't looked, haven't noticed, don't think anyone would want to attack them, or confidence that their network is secured. However, without understanding the risk, you can't make an assessment about the threat.
Twenty years ago, if you wanted to access a businesses network, you would have to request permission from the owner. Today it's more complicated than that. Next generation working practices, globally connected teams and mobile working has introduced a wide range of risks and the challenge is to mitigate and manage them.
Businesses have two choices - they can; A) Lock, block, ban and stop or B) acknowledge the businesses benefits of global connectivity and enable their organisation to embrace the new opportunities it presents, whilst ensuing operations run securely.
Then you need to ask yourself what you are trying to protect? The answer to this question is crucial to ensuring that you are investing in the right preventative measures. Start by considering the biggest possible impact on your company, and the potential causes. This should reveal what your vital assets are. For example, if your company is about to file its annual financial figures, the impact of an attack could compromise confidentiality and integrity of data, so your financial system may be number one on your list of assets to protect.
It's important not to forget the important part that the workforce plays in network security. Certainly, by sharing best practice and explaining security risks to your workforce including what needs to be done to keep the business safe, you'll find that they take individual responsibility for their actions and are much more proactive.
In summary, if you don't know what your risks are, then a threat exists for your business. The motives are there - in almost all instances driven by financial gain, whether it's customer credit card details, or valuable business data. The capability exists - there is no shortage of people that know how to execute targeted attacks, and the risk is heightened by current security models that are largely only minimally effective against cyber criminals.
Security breaches not only compromise organisations vital assets but fundamentally affect the trust that people instill in a business, significantly reducing the chance of new business, both now and in the future. No organisation is risk free, what is important is that threats are recognised and that the right processes are put in place to protect against potentially devastating consequences.