I have been asked many times by company bosses whether they will not be a victim of a cyber attack and whether there is such a thing as a 100% secure environment. The simple answer is NO, especially in a small-medium size company. To have 100% protection, you would need a team of senior security specialists with the help of advance AI-driven software to be able to detect and defend against any breach almost immediately. This will be too costly to operate for a small-medium sized company.
Cybersecurity is on a best effort basis.
An IT infrastructure with its applications is like the human body. While we try our utmost to stay in the pink of health by doing and eating right, we nonetheless might still come down with something eventually. It is the same with IT setups within companies. When you are in the sight of a capable hacker, you will be breached.
Vulnerabilities exist all over the entire landscape from system hardware, infrastructure to applications. Hackers can send malicious payloads through unopen ports in the firewall or simply attack an open target – webservers.
Another technique used by hackers is posing its malicious program as legitimate traffic. These days hackers are sending malware via emails to unsuspecting employees.
Within the server itself, vulnerabilities exist in the underlying operating system to the applications that sit on it. With services are left open, they provide possible entry points for hackers. Also with companies adopting more and more technology, the vulnerabilities are compounded.
Vulnerabilities in firmware in switches and routers to vulnerabilities in software. Software that was are more functional and user focus than security focus. To compound to the issues, software technology themselves are constantly evolving. Making patching the application, similar to trying to hit a moving target as there is constantly a battery of software patches and updates.
Also when new patches are made available, companies tend to delay updating the system for fear of a system or software crash.
In most small-medium size setup, the lack of fundamental cybersecurity measurements is lost on the management. They are typically more concern about sales, profitability and operational matters.
Cyber knowledge to them is left to the IT guy. As IT is very wide, the poor IT guy may not be cyber-trained. More if he is more often than not he is likely to be systems or infrastructure trained personnel, rather than application trained.
Also, another factor contributing to cyber breaches are the employees themselves. Lapses could occur from administrators forgetting to close out user access when they leave the company to an employee not keeping his/her password confidential.
Things are made worst when employee mobile devices are linked to the network. In most cases, users will download 3rd party apps. Hidden within the app could be a malicious program waiting to be unleashed.
The malaise of cyber breaches and its impact will increase exponentially when IoT comes along connecting everything. It will be a nightmare.
To be able to monitor all these vulnerabilities will put a huge strain on the resources of most small-medium size companies.
Hence it goes back to our earlier statement – for the small-medium size companies, – cybersecurity will be on a best effort basis.