1. Thinking security must be a big task

A typical IT network is often a complex combination of laptops, servers, switches, routers, databases, cloud platforms, etc, etc. In a moderately sized organisation, it can be hard to step back and get a sense of the whole picture. And this can make it challenging to consider how to approach securing such a network.

What is often seen though, is that big gains can be made through implementing small steps. Having good policies around backups, patching and passwords alone can go a long way to setting a good foundation for a secure environment.

Many small and medium enterprises would benefit from using a framework such as the UK governments Cyber Essentials program, which nicely sets you up to defend against the vast majority of attacks. For larger organisations, a framework such as CIS is recommended for a more in-depth look at how you can protect a diverse network against even determined attackers.

2. Not involving their staff

Due to the supposed ‘techy’ nature of IT security, many companies see it as an IT issue alone. This is one of the reasons I love security so much – it transcends tech and touches on the human side of our lives. Email filtering and blocking is great, but if a mail does get through, and someone clicks on a malicious link, then the technical solutions get by-passed.

Cyber security is as much about training people, employees and staff members, as it is about strong passwords or firewall rules. If people hand off responsibility to the IT dept, then they leave themselves vulnerable to opening a well-crafted phishing email, following an assertive scam phone-call or holding the door open to a physical intrusion tester, all of which can compromise your data

3. Hoping to eliminate the risk of cyber attack

Risks exist in many areas of our life and business. And while we take whatever steps we can to minimise those risks, it must also be recognised that they can never be eliminated fully.

Wherever you live or work, there will always be a risk of a fire. So you prohibit smoking in certain areas, use particular materials for construction, and leave extinguishers at set points.

Cyber attacks are the same. You can deploy firewalls, segment your network, patch regularly and rapidly, and promote good password habits among staff, but there is always the chance that a breach will happen. And the more complex your environment the more likely this is.

So accept the risk, and tackle the higher risk areas first. Assess your network, and where your security gaps are. And while you can take steps to mitigate these risks, you will get to a point where it isn’t cost-effective to go further, and you are willing to live with the level of risk that remains. So don’t look to eliminate the risk, seek to manage it instead