Sleepless nights, and business owners

-

What keeps the business owner up at night?


I am talking about owners of the micro, small, and in some cases medium sized business; those owners who on a daily basis put their heart and soul into building their business and doing all they can to keep it running successfully; making profit; keeping customers happy; employing people etc.

 The farthest thing from their minds will be information and cyber security. 

 It could even be suggested that the mere mention of the subject is likely to result in a furrowed brow followed by, this is what I pay the IT Service Provider to look after.

 It is not surprising then that the evangelist, having worked in the information and cyber security space for many years, comes across disinterest; disregard; and perhaps just a bit of indifference when the subject is raised.

 That is not meant to insult the business owners, it’s simply a fact of the evangelist's life.

 For 20 years and more so many thoughts around how to change mind-sets have come; gone; and come back again without too much forward movement. 

 For the evangelist this is simply a case of, ‘I don’t understand why you don’t understand’.

 It is abundantly clear then that addressing the ‘lack of understanding’ has got to be a priority; but then it always has been. 

 Perhaps it is the language (and acronyms) of information and cyber security that is one of the challenges. Admittedly a whole new level of strangeness. When added to the IT Service provider speak, then perhaps talk of and for example, information security management systems (ISMS), will be a step too far.   

 If the business owner is already paying an IT Service provider, and listening to IT speak, why pay for additional services, and cope with the strangeness that is information and cyber security? Besides, if the talk is about ‘cyber’, then surely that is IT; isn’t it?

 The UK National Cyber Security Centre (NCSC) provides a considerable amount of excellent advice; but they can only do so much. The advice given will not necessarily be in-line with your specific business context.  The local IT Service Provider will of course be of value. However, it is not simply a case of a new firewall or AV or a UTM box; there is much more to the challenge.

 The information and cyber security professional will provide their knowledge and experience; use NCSC (and other) guidance; work with IT Service Provider; but place it all into an information and cyber security context that meets your specific business need. 

 All that is required is you, the micro, small or medium sized business owner. We can show you the watering hole; show you how and when to drink; the types of water to be cautious of; and other hazards found at the watering hole. 

 Getting down to completing the task of drinking is up to you. If you don’t drink what is likely to happen to you and your business?

 It might just keep you up at night.

 KanSecurity (NL) 

Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Personal data or PII

-
Image
PII or not to PII, that is the question PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data. What is personal data vs PII? Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)). PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Offic
Read more

Risk and micro, small business

-
Image
Risk; why is it so difficult? Information security risk management, or if you wish cyber security risk management; either way it appears to cause a bit of a problem. Over many years now I have seen and audited different concoctions, the majority of which fail completely to be effective in managing the risk.  That said, I have also seen some scarily good processes, many of which are application driven rather than spreadsheet driven. This is an out and out plug, but the best and most effective examples have usually be driven by Acuity Risk Management's Stream application .  However, for the micro or small business the best approach is to keep things simple, for the moment at least. Risk description - there are excellent definitions for risk published within various ISO documents. However it all boils down to the following: Source (what is the source of the thing that could happen - internal or external parties) Event (what is going to occur) Cause
Read more