Is your firm spending too much on cyber security?
Some Australian businesses are spending too much investing in unnecessary cyber security solutions, according to cyber security professional Tim Redhead of DotSec.
Editor’s note: This article originally appeared on Lawyers Weekly’s sister brand, Cyber Daily.
Every business is unique, whether they offer different services or are at different stages in their cyber security journey. For cyber criminals, this means their methods of entry will be tailored to exploit a business’s individual vulnerabilities.
To Mr Redhead, this means that there is no one silver bullet for Australian companies looking to protect their systems – and many companies may, in fact, be paying for services that do not align with their needs.
“You can buy lots of silver bullets, but each one of them is just a solution for a [single] problem,” Mr Redhead explained.
“You’re just hoping that you’ve got the right silver bullet for the threat at hand.”
“You have to understand which risks you’re going to manage, then decide which products you’re going to spend money on. If you do that, you’re likely to spend much less than otherwise would be the case.”
According to the cyber security expert, Australian businesses often buy solutions that they think will help their businesses but do not actually address their biggest risks, leaving them vulnerable. For these businesses, it comes down to luck whether they have invested correctly.
“If you’re lucky, the solutions will address the primary threats, but the likelihood is that you’ll spend too much money, and the improvements will either be incomplete or take an unnecessary amount of time to implement,” he said.
Instead, Mr Redhead urges businesses to build a cyber security framework tailored to the unique needs of their business – balancing budget with risk. Under this framework, businesses will prioritise protecting their most important assets and functions while putting defences in place to stop the most likely avenues of attack.
For businesses unaware of how to begin navigating their cyber security journey, Mr Redhead suggests that they should first research publicly available risk frameworks.
Tailored to different industries, the risk frameworks provide guidance on how businesses can identify their vulnerabilities and build a cyber framework relevant to them.
“Start by adopting a controls framework or standard. There are many you can go with. You have ISO27001, which is a risk management framework, CIS controls Version 8, and there’s the ASD’s Essential 8,” he recommended.
This starting point can also be strengthened by asking a few easy questions. “Ask, what are the things in your organisation that you’re trying to protect? And why are you trying to protect them? How critical are they to your business’s operations? What would you do without them, if they were destroyed, stolen or misused?” he said.
If you need to transfer risk, Mr Redhead explained that businesses can also look toward investing in cyber insurance. However, as with any insurance policies, businesses need to ensure they are compliant to make sure they are eligible for payout.
“Did you implement multifactor authentication? Do you have endpoint management? Do you have a way of managing and monitoring what goes on in your organisation? And so forth? If you’ve got those in place, you’ll probably get paid out,” Mr Redhead said. “But if you don’t, then I guess you’re at the mercy of the insurer at that point. And that answers your question: what would they pay and what they won’t? It’ll depend on what the causes are.”
To learn more about how businesses can build a cyber security strategy tailored to their unique needs, watch our recent live stream with DotSec founder and chief executive Tim Redhead here.