Top
Image Alt
  /  Events   /  Information Security – Dispelling the FUD

Information Security – Dispelling the FUD

Why are small businesses reluctant to tackle the security question? 

Why do they continuously avoid all discussions about risk and security?

I believe that it’s not because they’re irresponsible, or that they don’t care about their business. I’m of the firm opinion that it’s mainly due to the Information/Cyber Security industry itself.

Fear, Uncertainty and Doubt (FUD) have been used by many security professionals during conversations with their clients (and prospective clients) about risk. They’ve told their clients that their businesses are going to crash and fail; their sensitive data is going to be breached; their business reputation that they’ve built over the years will be shredded and worthless. No wonder they want to avoid engaging with Security. They see us all as Chicken Little!

 

Why have many Security Companies done that? Because it’s easy to sell promises of protection to fearful clients (1)

A longtime friend who works in a related discipline (Privacy and Compliance) recently said to me that his SME clients won’t engage with a discussion around security because they believe that implementing security controls will incur huge expense and constraint (and to be fair to them, that’s often what they’ve been told).  In my opinion, security shouldn’t be an overhead or be costly – it should seamlessly align with the normal routine of change. Small/medium businesses (2) should follow a simple manageable timeline that fits with their business model. This can all be achieved by taking “baby steps”:

  • Think of what they want to achieve (i.e. what’s the business driver):
    • Shareholder (regulator, client) assurance & trust?
    • M&A/Growth/Scalability (integrated, effective, efficient, & seamless processes)?
    • Marketing advantage (is there a demand for compliance from client or partner )?
    • Ongoing sustainability of the business (i.e. being able to protect, defend & mitigate a directed malicious attack on the business e.g. interruption of service, ransom, etc.)?
  • Develop a strategy for meeting their goal and build a plan. Gain buy-in from top level management to meeting the objectives
  • Implement basic policies, processes & controls (3), with a commitment to continuous improvement. Measure and report it.
  • Review the strategy & plan regularly, and adapt to meet new challenges & goals

So if it’s this simple, then why aren’t SMEs sitting down with independent security consultants (4) to explore what the real costs and effort in implementing good security actually are?  I think that the FUD merchants have purposely tried to make the discussion more complex in an attempt to convince clients that security is much more than “common sense”. I take the view that a reasonable level of active information risk management and security can be achieved by most SMEs for negligible cost.  

I believe that many businesses are passively accepting inherent risk (i.e. they haven’t considered their risk appetite or risk tolerance, and aren’t managing their risk), simply because they don’t know where to startGood risk/security consultants can quickly and easily help to unravel the vocabulary around risk, so that businesses can begin to:

  • clearly understand and manage their inherent risk (uncontrolled risk), 
  • minimise and accept their residual risk (controlled risk), 
  • measure, review and continuously assess their risk, 
  • maximise the opportunities that positive risk can bring for them. 

This helps every business to resolve the Fear in FUD and replaces it with Confidence. It resolves the Uncertainty and replaces it with Assurance, and resolves the Doubt and replaces it with Nurture (certainty, trust & expertise). So simply our clients can quickly and easily move from FUD to CAN.

Simply, it’s not about implementing costly security controls (in isolation of business context and strategy), but rather about managing unwanted risk in a cost appropriate (and simple) way.

If you want to explore further any of the topics discussed here (strategy & planning, risk management, control effectiveness, etc), or if you’re facing any issues in terms of your security, please reach out to [email protected] and we’ll be delighted to talk with you in more depth about them. It won’t cost you anything! 

The early steps are really easy, and we CAN definitely help you achieve them.  

(1) Why do you think unethical politicians do this at election time? It works!
(2) I don’t think this approach is just limited to SMEs but it’s often easier to change direction in a small ship than a huge ocean liner.
(3) My firm belief is that the 80:20 rule applies – risk can be reduced by 80% by applying the correct 20% of controls
(4) i.e. consultants that aren’t bound to any security hardware or software vendor
(5) Good is the operative word – it doesn’t have to be great