What is the first thing that comes to mind when you hear the word cyber protection (or cybersecurity, as some prefer to call it)? Perhaps it’s a photograph of people working in a security operations centre (SOC). Perhaps you picture a group of security analysts frantically tapping away on their laptops.
So what exactly is cyber security? I understand that not everybody is a tech whiz and may be perplexed by the various meanings of the word. So, let’s take a look at what this word actually means for corporations, organisations, and individuals, as well as why cyber protection is everyone’s duty within a company.
What Is Cyber Security?
Cyber security is a broad concept that can mean many different things to different people. But, in the end, what is cyber security all about? Some people define cyber protection as a set of technologies, policies, procedures, and people that work together to protect your technology, intellectual property, and other sensitive data from unauthorised access and harm. Others can simply refer to it as a critical component of your company’s information and data security strategy.
However, doing everything in your power to avoid unauthorised access to your digital networks and data is a massive part of the driving force beyond cyber protection. In a nutshell, cyber security is about safeguarding the computer and data from cyber security threats and assaults, many of which result in expensive cybercrime. Given that the FBI’s Internet Crime Complaint Center (IC3) estimates that cybercrime losses surpassed $3.5 billion in 2019, it’s easy to see that any company should beef up their cyber security defences to foil as many threats as possible and minimise the harm caused by those that succeed.
If you’re unsure what types of “tech” come under the umbrella of cyber security issues, look no further. Computers, mobile devices, networks, servers, IoT connected devices, cloud storage, physical storage devices, and other IT infrastructure are all protected by cybersecurity. However, cyber protection encompasses a wide range of security issues as well as the policies that impact them. It also includes:
- Application Security
- Network Security
- Operational Security
- Physical Security
- Security Policies
Why Cybersecurity Matters to Large & Small Businesses Alike
Cyber security is crucial to many facets of a company’s operations, something many business leaders are unaware of. It’s not just about safety and keeping your business secrets safe.
Maintaining the security of your data and systems helps you establish confidence and maintain a good image in the industry. (This can be very beneficial to the client and investor relationships.) Efficient cyber protection, on the other hand, will help you escape expensive non-compliance fines and penalties.
What Is Cyber Security All About? The Experts Respond to 3 Questions
We figured it would be interesting to find out how other industry experts define cyber security. As a result, we enlisted the help of 13 cybersecurity experts to find out how they will identify and explain cyber security. They also discussed the top cybersecurity concerns and threats that companies are facing today, as well as what businesses can do to improve their cyber defences.
Here’s what they had to say about the question “what is cyber security?”
How Would You Define or Describe Cyber Security?
“Cybersecurity is a holistic way of securing an organization’s data that is mission-focused, using a balance of people, technology, and policies, that continuously improves.”
— Ken Underhill, an award-winning business consultant, entrepreneur, and cybersecurity leader
“Cyber security is protecting the digital assets and productivity tools of the company and customers from loss, misuse, and inability to access.”
— Almi Dumi, CISO eMazzanti Technologies
“I like the CISSP triad. Cybersecurity means protecting systems from the loss of confidentiality, integrity, and availability. Eyes usually glaze over by the time I finish that sentence.”
— Greg Scott, long-time cybersecurity and technology professional
“Cybersecurity can be defined as a set of processes and technologies that are established to protect networks, devices, data, and programs from unwanted access and damage.”
— Jovan Milenkovic, a tech and safety expert at AhoyGaming
“Cybersecurity is the practice of defending technology from an attack that happens via the internet, ethernet, Wi-Fi/radio signal, telephone or physical access. Cybersecurity is designed to protect computers and networks from theft or damage of hardware, software and electronic data.”
— Pieter VanIperen, managing partner at PWV Consultants
Jeremy Haas, Chief Security Officer and Senior Vice President of Analytics at LookingGlass Cyber Solutions, takes a bit more of an academic approach when it comes to defining cyber security:
“Before defining cyber security, one must define cyber. Cyber is the virtual and logical environment that is represented by and processes digitally encoded information. This digitally encoded information represents the data, intellectual property, computer instructions, software, and hardware used to store, process, and transmit this information. Cyber security is the practice of ensuring the confidentiality, integrity, and availability of this virtual and logical environment’s information and functionality.”
— Jeremy Haas, CSO at LookingGlass Cyber Solutions
The next few experts offer more in-depth perspectives of what cybersecurity is and what it does:
“Cyber security [is] the processes and mechanisms applied to provide for the confidentiality, integrity, and availability of one’s digital assets. In other words, to ensure that those who are authorized can always access their digital assets, while simultaneously ensuring that those who are unauthorized are never able to gain access (either to view, corrupt, delete) those assets.
Digital assets include everything from customer lists and trade secrets, to employee information, records, e-mail, source code, databases, passwords, server logs, internet traffic, backups, and any other information related to the business or organization in question, for which there are concerns over either losing that information, or having it be exposed.”
— Jason Resch, founder at AlwaysAsking
“The heart and soul of most businesses is their data. Take away their data, and they’re out of business almost instantly and probably for good. That puts data high on the list of your most essential assets. Because data lives on computers, it’s subject to the realm of cyber security. Cyber security is the preservation of data and keeping it private.”
— Eric Mintz, CEO of EM Squared
“Cyber security refers to the protection, and response to a violation of such protection, of a company’s digital information. The first part of the definition concerns how a company goes about protecting its digital information from internal and external threats. Through the use of hardware and software devices, company policies and electronic policies, a company aims to protect its data from being accessed, taken or altered by an unauthorized individual.
The second part of the definition concerns how a company responds to a potential compromise of its data. Does it have a plan in place in such a situation? How did they execute that plan? What was the result of investigating the incident?”
— Greg Kelley, CTO of Vestige Digital Investigations
What Is the Most Important Consideration When It Comes to Effective Cybersecurity for Small Businesses?
“The most important consideration for small businesses is to not ignore it and don’t wait until you have a problem. Cybersecurity is active, and not passive. There are about 5 security controls for small businesses, that if done effectively, provide the most impact so effective cybersecurity doesn’t have to be complicated or intimidating. It’s not a matter of if you have a problem, but when.”
— Jeremy Haas, CSO at LookingGlass Cyber Solutions
“The biggest single consideration is cost and complexity vs effectiveness. Keep your environment simple, work with a good provider or in-house team and focus on getting the basics right: Staff training, patching and a good backup plan”
— Todd Gifford, CTO of Optimising IT
“Small business owners need to look at information technology as an asset instead of an expense. I remember talking to a dentist a few years ago. He stored his patient x-ray images on an obsolete Windows XP system tucked away in an unused cubicle. When I asked him what would happen to his practice if those x-rays were to disappear, he replied that he didn’t need computers to practice dentistry. I challenged him to turn off all his computers and run his practice for one day without them. He never returned another phone call or email after that.
Business owners care about their assets and take tangible steps to protect them, but they minimize expenses.”
— Greg Scott, a long-time cybersecurity and technology professional
“This can be difficult to answer quickly because there are so many different types of small businesses, and each small business may utilize different hardware and software that could make them vulnerable to ‘cyber attacks.’ When people talk about this, they are generally referring to malware, which is ‘any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, trojan horses, ransomware, spyware, adware, rogue software, and scareware.’
Notwithstanding the above, a quick way to start intelligently thinking about cyber security is to think about which devices have connectivity to the outside world (this of course includes the Internet, but also includes USB drives that may be used between computers within the business and elsewhere), and then think about how information (data) flows between them.
To whom is data being sent? How is data being downloaded? Who has the ability to download information and/or install programs? This is akin to thinking about security in one’s home. If you install a lock on your door, who has the key? And also an important thing to remember is that there is a potentially fatal structural flaw built into all locks, whether they are software or hardware based; and that vulnerability is that it can only work if you use it. Having a lock on your door is great. But if your door is not locked, then the lock is useless.”
— Joshua Weiss, CEO of TeliApp
“Convincing a small business that they are just as big a target as the vast majority of companies out there because they are merely connected to the internet. Many small companies think that they don’t have to worry about it because they are small, do not have large revenues or do not have sensitive information. Nothing can be further from the truth. Cyber criminals target any and all companies by casting a wide net and will gladly steal your payroll, rental payments, payment to vendors or from customers or encrypt all your data grinding your company to a halt until you pay them.”
— Greg Kelley, CTO of Vestige Digital Investigations
“Humans are the weakest link in cybersecurity and hence, the most important consideration. In addition to implementing a commercial grade firewall and other basic network security measures, small business owners should have a security expert come into the workplace to train employees and evaluate weaknesses.”
— Almi Dumi, CISO eMazzanti Technologies
“Focus on the fundamentals. Many small business owners I work with do not even use two-factor authentication and strong/complex passwords.”
— Ken Underhill, an award-winning business consultant, entrepreneur, and cybersecurity leader
“First and foremost, to identify all the information (created or held by) the organization for which there are security concerns, and then secondly, developing a plan to safeguard that information. Where safeguarding it involves one or both of preventing the irrecoverable loss of that information (through accident, negligence, or malice) and preventing the exposure of that information to unauthorized parties (again through either accident, negligence, or malice).”
— Jason Resch, founder at AlwaysAsking
“As an IT professional, I see computers getting attacked all the time; hundreds or even thousands of times per day. The attacks range from a “bot” trying over and over to guess your WordPress password, to [phishing] emails to trick you into giving up sensitive information, to implanting malware on your server that encrypts your data and holds it ransom.
The IT industry does a good job at protecting your digital assets. Getting “hacked” is a relatively rare event because nearly all businesses rely on the Pros for their security. But here’s the rub: for the Pros to win, they have to thwart all cyber attacks 100% of the time. For cyber criminals to win, they only have to penetrate the defenses one time.
Your number one defence against cyber crime is to let a Pro manage your security, someone who makes a career of knowing all of the risks, and guarding against them.. Any good Pro will include computer backups as part of the defense. Even if the criminal wins just that one time, good backups will be the difference between being inconvenienced for a few hours while the backup data is restored, and being down for the count when your data is compromised.”
— Eric Mintz, CEO of EM Squared
For Jovan Milenkovic, a tech and safety expert at AhoyGaming, effective cybersecurity boils down to three main considerations:
- Knowing what the risks are will help you better protect your business. When it comes to managing their business, many businesses are unaware of their risks. This is how they become victims of various corporations attempting to sell them remedies, and end up with something they don’t need. As a result, before defending your company against intruders, make sure to evaluate your threats and decide what, where, and how you should be protected.”
- With identity protection, we’re going above and beyond the bare minimum. “In general, I believe that passwords are just the first step in keeping your business safe, and that businesses should not rely solely on strong passwords. To manage identities, they can use ones that have multi-factor authentication or biometric capabilities.”
- Recognizing the significance of good access control. “Access management is yet another factor to consider when attempting to cyber-proof a business, as it will aid in the protection of both internal and external data. That is why they should consider getting least-privilege access in the enterprise, and the more access they have, the higher the risk of a data breach.”
What Is the Biggest Challenge Facing Businesses When It Comes to Strengthening Their Cyber Defenses?
In response to this article, we received a variety of responses and viewpoints on what the “biggest” cybersecurity threat for businesses is. Some of them were predictable (budget concerns), while others went beyond the obvious.
Several experts focused on the issue that the greatest problem facing companies is the attitude of their owners and executives, though they expressed it in different ways.
“The biggest challenge businesses face is taking security seriously enough to not wait until it is too late to care, such as after a data breach occurs. By then, the damage has already been done; a company’s reputation has taken a hit and the breach has cost them millions. Do what needs to be done so that things do not get to that. Not all cyber security measures will be 100% foolproof; however, something is better than nothing.”
— Iyana Garry, a web security researcher
“Business owners and leaders sometimes have the mindset that security can be dealt with ‘later’ or that problems don’t need to be fixed right away. What ends up happening is an event or incident around those areas that forces the business into addressing it, which ends up costing more money than if it were in the budget.
For small businesses and startups, it’s largely a lack of funding vs. not allocating funds to security, as well as a lack of knowledge. Set aside funds to hire an expert at the beginning of the business to set the business up with cybersec practices. This will reduce costs long term. If the business is already operating, get setup as soon as possible. The longer a business waits, the more likely costs will explode.”
— Pieter VanIperen, managing partner at PWV Consultants
“The biggest challenge is quantifying the risks and investing appropriately in mitigations. The risks are always changing because cyber evolves and the threat actors evolve with it. When one attack stops working, the threats quickly change. And unlike the physical world where physical proximity is one factor that limits threats, in cyber, businesses can be attacked by anyone in the world with a computer and internet access. Cyber is the only environment where [thousands] of people and bots are attacking you every day, 24/7/365.”
— Jeremy Haas, CSO at LookingGlass Cyber Solutions
But it’s not just the leadership whose mindsets need to evolve. It also comes down to changing the practices and actions of other employees through cybersecurity awareness training.
“Changing the attitudes and risky behaviors of employees is the biggest challenge. Small businesses could do a lot to strengthen their cyber security posture by building a security-first mindset within the organization. For example, with a focus on cyber security technology, SMBs overlook the fact that ransomware works because of effective social engineering, i.e. phishing schemes. More effective cyber-security training can prevent it.”
— Almi Dumi, CISO eMazzanti Technologies
Another huge consideration for businesses has to do with employees being able to demonstrate cyber awareness.
“Most small business owners will complain they don’t have money to strengthen their cyber defenses. That masks the biggest challenge, which is awareness. Just like we teach everyone who drives a car what happens in a head-on collision, we need to teach small business owners about the threats that come with today’s internet opportunities. Business owners who appreciate the threat will find appropriate tactical tips — I have plenty and so do other security professionals. But those tips only work if people follow them.”
— Greg Scott, a long-time cybersecurity and technology professional
But what if no matter what you do, there’s always more that can be done? That’s the reality of cybersecurity — it’s continually evolving.
“The biggest challenge is that one can never finish or complete the task of ‘cybersecurity.’ Rather it requires eternal vigilance. New threats are constantly emerging. There are new software exploits and vulnerabilities being identified which require regular patching. Scammers are developing new forms of tricking individuals, which requires constant training.
Maintaining security is a constant battle and one that requires active planning to minimize the threat posed by new threats as they emerge.”
— Jason Resch, founder at AlwaysAsking
Ron Harris, VP of Omega Computer Services has a different perspective about the main challenge facing small businesses in particular:
“Right now, I think the security tools and market for the small business are messy. I think that is due to the jargon and products that do not have everything you would need in it. So for business owners to navigate the market right now, it must be overwhelming and scary. I think once the solutions mature and products consolidate down it will be easier for anyone to be able to fortify their networks, devices, and data.”
— Ron Harris, VP of Omega Computer Services
According to Eric Mintz, the biggest challenge for small startups has to do with their budgets. His concern is that not all businesses are in a position to fork out a lot of money on security. However, not investing in security may wind up costing you more in the end in terms of damages, non-compliance penalties, and future lawsuits that may result from data breaches.
What You Can Do to Improve Your Organization’s Cyber Security
You may take a number of practical measures to strengthen the cyber defences. Many of our experts recommend the following strategies for improving cybersecurity while keeping costs low for startups and small businesses:
- Cyber security training should be given to your staff. In the fight against cybercriminals, this is one of the most effective cyber security strategies you can use. Cyber awareness training equips the workers with the skills they need to recognise and react to the ever-changing onslaught of attacks perpetrated by cybercriminals on a daily basis.
- Keep up-to-date digital and physical data backups. Having current and secure backups in place can mean the difference between briefly shutting down and permanently closing the doors. Always remember the 3-2-1 backup rule.
- For each account, use a different password. Passwords should not be reused or recycled through different accounts. Similarly, don’t share your login credentials or passwords with your colleagues, relatives, or coworkers (no matter how nicely they ask). It doesn’t mean they do, even though you practise strong password protection in other ways. And, if it’s appropriate…
- Make use of a password manager that is stable. A password manager could be a good investment for you if you have trouble keeping track of all those unique passwords. A password manager allows you to keep track of all your passwords by just remembering the master password.
- Using endpoint and network security software. This covers everything from antivirus software and virtual private networks (VPNs) to network firewalls and intrusion detection and prevention systems (IDS/IPS). Keep an eye on both inbound and outbound traffic on your network and keep an eye on warnings.
- Limit future disclosure by implementing access controls. It’s not a question of “if,” but “when” something would go wrong. You may reduce the chance of being exposed in the event of a social engineering attack or a data breach by restricting access to critical systems and data through strict access controls.
- Business machines can only be used for business purposes. Implement strict computer usage policies that specify the types of behaviours that users (such as your staff and contractors) are permitted to participate in when using company computers or networks.
- Require the use of a VPN while working remotely with company computers. A virtual private network (VPN) is an excellent platform for businesses all over the world. A VPN helps you to securely link to networks and transfer data when correctly configured. Due to COVID-19, it’s an especially useful resource for businesses whose workers are constantly on the move or working from home.
- Other cybersecurity measures should be implemented and enforced. You may also enforce other security-related rules, such as a BYOD policy, a social media policy, a file-sharing policy, and so on. Because, as critical as developing these policies is, enforcing them is far more crucial.
- Implement authentication methods that do not require a password. For account protection and authentication, using solid, unique passwords should be the absolute minimum. Passwordless authentication solutions such as multi-factor authentication (MFA) and certification-based authentication, on the other hand, will take the authentication to the next stage.
- Update the applications, firmware, and operating systems on your computers. It’s all too tempting to put off applying changes and patches. However, every hour you delay in rolling out those crucial updates is another hour your company is vulnerable to cybercriminals looking to exploit those flaws. This problem can be alleviated by enabling automatic updates.
Meet the Experts
Okay, now is the time to digitally familiarise yourself with the experts in the article on cyber security. To make it easier for you, we’ve described these experts in alphabetical order by last name:
eMazzanti Technologies’ Chief Information Security Officer (CISO) is Almi Dumi. He previously worked as a Senior Network Architect and Team Lead for the organisation.
Iyana Garry is a cybersecurity researcher with over five years of experience in the IT sector. She’s also a big fan of security, automation, and the cloud.
Optimising IT’s CTO is Todd Gifford. He has more than 20 years of IT experience, including 12 years in information security. He’s already a lead auditor for ISO27001 and a CISSP.
Greg Scott is a seasoned cybersecurity and technology expert as well as a published author. He works for the largest open-source software corporation in the world and spends his spare time writing novels and studying cyber-attack methods.
LookingGlass Cyber Solutions’ Chief Security Officer and Senior Vice President of Analytics is Jeremy Haas. He’s a cyber security specialist who previously served at the US Air Force’s Information Warfare Battlelab and spent 14 years at the CIA’s Center for Cyber Intelligence. He also holds the CISSP and CEH certifications.
Omega Computer Services’ Vice President is Ron Harris. He has over 15 years of industry experience and previously worked as an IT director for an insurance firm.
Vestige Digital Investigations’ Chief Technology Officer and founder is Greg Kelley. His job has covered everything from network management and security to disaster recovery and end-user support in his 20 years in the tech industry. He’s already a Digital Forensics Certified Practitioner and an Encase Certified Examiner (EnCE) (DFCP).
Jovan Milenkovic is a co-founder of AhoyGaming and a software and safety specialist.
Em Squared, a custom software solutions company specialising in end-to-end market automation and IoT growth and integrations, is led by Eric Mintz. He’s worked for a number of Fortune 500 firms, is an author, and has over 30 years of tech experience.
AlwaysAsking.com’s founder, Jason Resch, is a computer scientist, inventor, entrepreneur, and published author. He’s also a cryptographer who’s given talks on cryptography at conferences including ACM, Usenix, and the National Institute of Standards and Technology (NIST), as well as on YouTube. He has hundreds of patents on safe data storage and has collaborated with renowned cryptographers at IBM science. He produced quantum-secure protocols and algorithms, as well as open-source threshold cryptography and cryptocurrency apps.
Kenneth Underhill is a cybersecurity expert, entrepreneur, and award-winning business consultant. In addition, he is the executive producer and host of Cyber Life, a TV show set to premiere in 2021.
PWV Consultants’ managing director is Pieter VanIperen. He’s a 20-year software architect and security specialist with CPTE/CEH, CSWAE, CNFE, CCSO, CIHE, and CISSO certifications under his belt. VanIperen has also co-founded a number of businesses and worked as a consultant and trusted advisor for others.
TeliApp, a web hosting, IT, and cyber security services company, is led by Joshua Weiss.