I have been asked many times by company bosses whether there is such a thing as a 100% secure environment.
The simple answer is NO there is no such thing as a 100% secure environment, at least on a small-medium size company (SME) level.
To have near 100% protection, you would need a team of senior security specialists with a wide range of discipline from infrastructure, systems to applications. This will be too costly to operate for a small-medium sized company.
Cybersecurity is at best on the best effort basis for SMEs.
An IT network is like a human body
An IT infrastructure with its applications is like the human body.
While we try our utmost to stay in the pink of health by working out and eating right, we nonetheless will come down with something eventually.
It is the same with IT setups within companies, you can try your best to stay safe but you will get something if you are under the crosshairs of a skilful hacker.
Vulnerabilities exist all over the entire landscape from network infrastructure, systems, to applications.
Even with firewalls in place, ports left open could serve as entry points for hackers. Or malicious programs could be disguised as legitimate traffic.
Servers whose operating system are not hardened could be exploited.
Vulnerabilities in office applications could likewise be exploited. Traditionally software development was more focus on application functionality, usability and quick to market rather than for security. Hence security gaps abound.
To make matters worse, companies are adopting more technology than ever. Moreover, the technology themselves are constantly evolving. Hence there will be more and more vulnerabilities for cybercriminals to exploit. Cybersecurity professionals will have their hands full trying to fix these vulnerabilities, let alone keep up with changes.
Operationally when new patches are made available, companies tend to delay updating the system for fear of a system or software crash. This period before they implement the patches serves as an opportunity for hackers to come in.
In most small-medium size setup, the lack of fundamental cybersecurity measurements is lost on the management. They are typically more concern about sales, profitability and operational matters.
Cybersecurity issues are typically left to the IT guy. The poor IT guy is likely to be just systems or infrastructure trained IT personnel, rather than cybersecurity train.
Also, another factor contributing to cyber breaches are the employees themselves. They may not be placing sufficient emphasis on cybersecurity matters resulting in a lax attitude.
Things are made worst when employee mobile devices are linked to the network. In most cases, the employees will download 3rd party apps. These apps could be gateways for hackers to enter and introduce a malicious program.
The malaise of cyber breaches and its impact will increase exponentially when IoT becomes pervasive connecting everything. It will then be a cybersecurity personnel nightmare.
To be able to monitor all these vulnerabilities will put a huge strain on the resources of most small-medium size companies.
Why you still need protection
However despite the daunting challenge to manage all these threats, a company still needs to be proactive rather than being reactive. After all once a breach happens, there is little you can do.
The news of a breach on your network could bring down your business as customers and suppliers might lose confidence and not want to do business with you.
By making your network a tougher target, it will reduce the threat from web-bots. Less skilful hackers will also move on to simpler more vulnerable target.