Instead of us defining what cybersecurity is and telling you what the most important considerations are for businesses, we thought it would be best to let the experts tell you themselves…
When you think of the term cyber security (or cybersecurity, as some people prefer to write it), what’s the first thought that comes to mind? Maybe it’s a picture of the busy people working in a security operations center (SOC). Or, perhaps, you imagine a team of security analysts typing feverishly on their computers.
But what is cyber security exactly? I get it, not everyone is a tech guru and may feel a bit confused with all of the different definitions of the term. So, let’s explore what this term really means for businesses, organizations, and individuals and why cyber security is a responsibility for everyone within an organization.
What Is Cyber Security?
Cyber security is a bit of a vague term that means a lot of things to different people. But what is cyber security all about, really? Some might describe cyber security as the combination of technologies, policies, procedures, and people that protect your technologies, intellectual property, and other sensitive data from unauthorized access and damage. Others might simply describe it as a crucial part of your business’s strategy for protecting its information and data assets.
But a huge part of the driving force beyond cyber security is doing everything within your power to prevent unauthorized access to your digital systems and data. In a nutshell, cyber security is about protecting your tech and data against cyber security threats and attacks — many of which lead to costly cybercrimes. Considering that the FBI’s Internet Crime Complaint Center (IC3) reports that losses from cybercrime exceeded $3.5 billion in 2019, it’s easy to see why every business should build up their cyber security defenses to thwart off as many attacks as possible and mitigate the damages from those that are successful.
If you’re wondering what kinds of “tech” fall in the realm of cyber security concerns, then wonder no more. Cybersecurity is all about protecting computers, mobile devices, networks, servers, IoT connected devices, cloud storage, physical storage devices, and other IT infrastructure. But cyber security actually goes beyond that to encompass multiple areas of security and the policies that affect them. It also covers:
- Application Security
- Network Security
- Operational Security
- Physical Security
- Security Policies
Why Cybersecurity Matters to Large & Small Businesses Alike
Something not all business leaders realize is that cyber security is integral to a lot of different aspects of their organization. It’s not just about security and protecting your trade secrets.
Keeping your data and systems secure helps you to build trust and maintain a positive reputation within the industry. (This can really pay off in terms of your relationships with customers and investors.) But in addition to that, effective cyber security also helps you to avoid costly non-compliance fines and penalties.
What Is Cyber Security All About? The Experts Respond to 3 Questions
We thought it would be fun to ask other industry experts how they would define cyber security. So, we consulted 13 cybersecurity experts to ask them how they would define or describe cyber security. They also shared their thoughts regarding the top cybersecurity considerations and challenges facing businesses today, as well as what businesses can do to strengthen their cyber defenses.
Here’s what they had to say in response to the topic of “what is cyber security?”
1. How Would You Define or Describe Cyber Security?
“Cybersecurity is a holistic way of securing an organization’s data that is mission-focused, using a balance of people, technology, and policies, that continuously improves.”
— Ken Underhill, an award-winning business consultant, entrepreneur, and cybersecurity leader
“Cyber security is protecting the digital assets and productivity tools of the company and customers from loss, misuse, and inability to access.”
— Almi Dumi, CISO eMazzanti Technologies
“I like the CISSP triad. Cybersecurity means protecting systems from the loss of confidentiality, integrity, and availability. Eyes usually glaze over by the time I finish that sentence.”
— Greg Scott, long-time cybersecurity and technology professional
“Cybersecurity can be defined as a set of processes and technologies that are established to protect networks, devices, data, and programs from unwanted access and damage.”
— Jovan Milenkovic, a tech and safety expert at AhoyGaming
“Cybersecurity is the practice of defending technology from an attack that happens via the internet, ethernet, Wi-Fi/radio signal, telephone or physical access. Cybersecurity is designed to protect computers and networks from theft or damage of hardware, software and electronic data.”
— Pieter VanIperen, managing partner at PWV Consultants
Jeremy Haas, Chief Security Officer and Senior Vice President of Analytics at LookingGlass Cyber Solutions, takes a bit more of an academic approach when it comes to defining cyber security:
“Before defining cyber security, one must define cyber. Cyber is the virtual and logical environment that is represented by and processes digitally encoded information. This digitally encoded information represents the data, intellectual property, computer instructions, software, and hardware used to store, process, and transmit this information. Cyber security is the practice of ensuring the confidentiality, integrity, and availability of this virtual and logical environment’s information and functionality.”
— Jeremy Haas, CSO at LookingGlass Cyber Solutions
The next few experts offer more in-depth perspectives of what cybersecurity is and what it does:
“Cyber security [is] the processes and mechanisms applied to provide for the confidentiality, integrity, and availability of one’s digital assets. In other words, to ensure that those who are authorized can always access their digital assets, while simultaneously ensuring that those who are unauthorized are never able to gain access (either to view, corrupt, delete) those assets.
Digital assets include everything from customer lists and trade secrets, to employee information, records, e-mail, source code, databases, passwords, server logs, internet traffic, backups, and any other information related to the business or organization in question, for which there are concerns over either losing that information, or having it be exposed.”
— Jason Resch, founder at AlwaysAsking
“The heart and soul of most businesses is their data. Take away their data, and they’re out of business almost instantly and probably for good. That puts data high on the list of your most essential assets. Because data lives on computers, it’s subject to the realm of cyber security. Cyber security is the preservation of data and keeping it private.”
— Eric Mintz, CEO of EM Squared
“Cyber security refers to the protection, and response to a violation of such protection, of a company’s digital information. The first part of the definition concerns how a company goes about protecting its digital information from internal and external threats. Through the use of hardware and software devices, company policies and electronic policies, a company aims to protect its data from being accessed, taken or altered by an unauthorized individual.
The second part of the definition concerns how a company responds to a potential compromise of its data. Does it have a plan in place in such a situation? How did they execute that plan? What was the result of investigating the incident?”
— Greg Kelley, CTO of Vestige Digital Investigations
2. What Is the Most Important Consideration When It Comes to Effective Cybersecurity for Small Businesses?
“The most important consideration for small businesses is to not ignore it and don’t wait until you have a problem. Cybersecurity is active, and not passive. There are about 5 security controls for small businesses, that if done effectively, provide the most impact so effective cybersecurity doesn’t have to be complicated or intimidating. It’s not a matter of if you have a problem, but when.”
— Jeremy Haas, CSO at LookingGlass Cyber Solutions
“The biggest single consideration is cost and complexity vs effectiveness. Keep your environment simple, work with a good provider or in-house team and focus on getting the basics right: Staff training, patching and a good backup plan”
— Todd Gifford, CTO of Optimising IT
“Small business owners need to look at information technology as an asset instead of an expense. I remember talking to a dentist a few years ago. He stored his patient x-ray images on an obsolete Windows XP system tucked away in an unused cubicle. When I asked him what would happen to his practice if those x-rays were to disappear, he replied that he didn’t need computers to practice dentistry. I challenged him to turn off all his computers and run his practice for one day without them. He never returned another phone call or email after that.
Business owners care about their assets and take tangible steps to protect them, but they minimize expenses.”
— Greg Scott, a long-time cybersecurity and technology professional
“This can be difficult to answer quickly because there are so many different types of small businesses, and each small business may utilize different hardware and software that could make them vulnerable to ‘cyber attacks.’ When people talk about this, they are generally referring to malware, which is ‘any software intentionally designed to cause damage to a computer, server, client, or computer network. A wide variety of malware types exist, including computer viruses, worms, trojan horses, ransomware, spyware, adware, rogue software, and scareware.’
Notwithstanding the above, a quick way to start intelligently thinking about cyber security is to think about which devices have connectivity to the outside world (this of course includes the Internet, but also includes USB drives that may be used between computers within the business and elsewhere), and then think about how information (data) flows between them.
To whom is data being sent? How is data being downloaded? Who has the ability to download information and/or install programs? This is akin to thinking about security in one’s home. If you install a lock on your door, who has the key? And also an important thing to remember is that there is a potentially fatal structural flaw built into all locks, whether they are software or hardware based; and that vulnerability is that it can only work if you use it. Having a lock on your door is great. But if your door is not locked, then the lock is useless.”
— Joshua Weiss, CEO of TeliApp
“Convincing a small business that they are just as big a target as the vast majority of companies out there because they are merely connected to the internet. Many small companies think that they don’t have to worry about it because they are small, do not have large revenues or do not have sensitive information. Nothing can be further from the truth. Cyber criminals target any and all companies by casting a wide net and will gladly steal your payroll, rental payments, payment to vendors or from customers or encrypt all your data grinding your company to a halt until you pay them.”
— Greg Kelley, CTO of Vestige Digital Investigations
“Humans are the weakest link in cybersecurity and hence, the most important consideration. In addition to implementing a commercial grade firewall and other basic network security measures, small business owners should have a security expert come into the workplace to train employees and evaluate weaknesses.”
— Almi Dumi, CISO eMazzanti Technologies
“Focus on the fundamentals. Many small business owners I work with do not even use two-factor authentication and strong/complex passwords.”
— Ken Underhill, an award-winning business consultant, entrepreneur, and cybersecurity leader
“First and foremost, to identify all the information (created or held by) the organization for which there are security concerns, and then secondly, developing a plan to safeguard that information. Where safeguarding it involves one or both of preventing the irrecoverable loss of that information (through accident, negligence, or malice) and preventing the exposure of that information to unauthorized parties (again through either accident, negligence, or malice).”
— Jason Resch, founder at AlwaysAsking
“As an IT professional, I see computers getting attacked all the time; hundreds or even thousands of times per day. The attacks range from a “bot” trying over and over to guess your WordPress password, to [phishing] emails to trick you into giving up sensitive information, to implanting malware on your server that encrypts your data and holds it ransom.
The IT industry does a good job at protecting your digital assets. Getting “hacked” is a relatively rare event because nearly all businesses rely on the Pros for their security. But here’s the rub: for the Pros to win, they have to thwart all cyber attacks 100% of the time. For cyber criminals to win, they only have to penetrate the defenses one time.
Your number one defence against cyber crime is to let a Pro manage your security, someone who makes a career of knowing all of the risks, and guarding against them.. Any good Pro will include computer backups as part of the defense. Even if the criminal wins just that one time, good backups will be the difference between being inconvenienced for a few hours while the backup data is restored, and being down for the count when your data is compromised.”
— Eric Mintz, CEO of EM Squared
For Jovan Milenkovic, a tech and safety expert at AhoyGaming, effective cybersecurity boils down to three main considerations:
- Knowing what the risks are so you can better defend your business against them. “Many companies are not aware of their risks when it comes to managing their business. This is how they fall prey to different companies trying to sell them their solutions, and end up with something they don’t even need. That’s why before protecting your business from the intruders, make sure to assess your risks and determine what, where, and how you should be protected.”
- Going beyond the minimum with identity authentication. “Generally, I think passwords are just a first step of keeping your business safe, and companies shouldn’t rely only on setting strong passwords. Instead, they should implement ones with multi-factor authentication or biometric abilities to manage identities.”
- Recognizing the importance of effective access management. “Access management is yet another thing businesses should take into consideration when trying to cyber-proof their business, since it will help them protect their internal and external data. That’s why they should think about having least-privilege access through the organization since the more access there is, the more are the chances of a data breach.”
3. What Is the Biggest Challenge Facing Businesses When It Comes to Strengthening Their Cyber Defenses?
In response to this question, we received a lot of different takes and perspectives about what the “biggest” cybersecurity challenge is for businesses. Some of them were to be expected (budget concerns) while others looked beyond that obvious concern.
Although they say it in different ways, several of the experts honed-in on the concern that the biggest challenge facing businesses is the mindset of their owners and leaders.
“The biggest challenge businesses face is taking security seriously enough to not wait until it is too late to care, such as after a data breach occurs. By then, the damage has already been done; a company’s reputation has taken a hit and the breach has cost them millions. Do what needs to be done so that things do not get to that. Not all cyber security measures will be 100% foolproof; however, something is better than nothing.”
— Iyana Garry, a web security researcher
“Business owners and leaders sometimes have the mindset that security can be dealt with ‘later’ or that problems don’t need to be fixed right away. What ends up happening is an event or incident around those areas that forces the business into addressing it, which ends up costing more money than if it were in the budget.
For small businesses and startups, it’s largely a lack of funding vs. not allocating funds to security, as well as a lack of knowledge. Set aside funds to hire an expert at the beginning of the business to set the business up with cybersec practices. This will reduce costs long term. If the business is already operating, get setup as soon as possible. The longer a business waits, the more likely costs will explode.”
— Pieter VanIperen, managing partner at PWV Consultants
“The biggest challenge is quantifying the risks and investing appropriately in mitigations. The risks are always changing because cyber evolves and the threat actors evolve with it. When one attack stops working, the threats quickly change. And unlike the physical world where physical proximity is one factor that limits threats, in cyber, businesses can be attacked by anyone in the world with a computer and internet access. Cyber is the only environment where [thousands] of people and bots are attacking you every day, 24/7/365.”
— Jeremy Haas, CSO at LookingGlass Cyber Solutions
But it’s not just the leadership whose mindsets need to evolve. It also comes down to changing the practices and actions of other employees through cybersecurity awareness training.
“Changing the attitudes and risky behaviors of employees is the biggest challenge. Small businesses could do a lot to strengthen their cyber security posture by building a security-first mindset within the organization. For example, with a focus on cyber security technology, SMBs overlook the fact that ransomware works because of effective social engineering, i.e. phishing schemes. More effective cyber-security training can prevent it.”
— Almi Dumi, CISO eMazzanti Technologies
Another huge consideration for businesses has to do with employees being able to demonstrate cyber awareness.
“Most small business owners will complain they don’t have money to strengthen their cyber defenses. That masks the biggest challenge, which is awareness. Just like we teach everyone who drives a car what happens in a head-on collision, we need to teach small business owners about the threats that come with today’s internet opportunities. Business owners who appreciate the threat will find appropriate tactical tips — I have plenty and so do other security professionals. But those tips only work if people follow them.”
— Greg Scott, a long-time cybersecurity and technology professional
But what if no matter what you do, there’s always more that can be done? That’s the reality of cybersecurity — it’s continually evolving.
“The biggest challenge is that one can never finish or complete the task of ‘cybersecurity.’ Rather it requires eternal vigilance. New threats are constantly emerging. There are new software exploits and vulnerabilities being identified which require regular patching. Scammers are developing new forms of tricking individuals, which requires constant training.
Maintaining security is a constant battle and one that requires active planning to minimize the threat posed by new threats as they emerge.”
— Jason Resch, founder at AlwaysAsking
Ron Harris, VP of Omega Computer Services has a different perspective about the main challenge facing small businesses in particular:
“Right now, I think the security tools and market for the small business are messy. I think that is due to the jargon and products that do not have everything you would need in it. So for business owners to navigate the market right now, it must be overwhelming and scary. I think once the solutions mature and products consolidate down it will be easier for anyone to be able to fortify their networks, devices, and data.”
— Ron Harris, VP of Omega Computer Services
According to Eric Mintz, the biggest challenge for small startups has to do with their budgets. His concern is that not all businesses are in a position to fork out a lot of money on security. However, not investing in security may wind up costing you more in the end in terms of damages, non-compliance penalties, and future lawsuits that may result from data breaches.
What You Can Do to Improve Your Organization’s Cyber Security
There are many specific steps you can take to try to improve your cyber defenses. Many of our experts offer the following suggestions for startups and small businesses to improve their cybersecurity while keeping their costs down:
- Train your employees with cyber awareness training. This is one of the most important cyber security tactics you can employ in the war against cybercriminals. Cyber awareness training arms your employees with the knowledge they need to identify and face the evolving barrage of attacks cybercriminals are using on a daily basis.
- Maintain current digital and physical data backups. Having reliable and current backups in place can be the difference between you temporarily shutting down and closing your doors permanently. Be sure to follow the 3-2-1 backup rule.
- Use unique passwords for every account. Resist the urge the reuse or recycle passwords across multiple accounts. Likewise, refrain from sharing your login credentials and passwords with your friends, family, and coworkers (no matter how nicely they ask). Even if you practice good password security in other ways, it doesn’t mean that they do. And, if necessary…
- Use a secure password manager. If you have issues keeping track of all those unique passwords, then a password manager might be a good investment for you. A password manager is a way for you to manage all your passwords while only having to remember the master password.
- Use endpoint and network protection solutions. This includes everything from antivirus software and VPNs to network firewalls and IDS/IPS solutions. Be sure to monitor alerts closely and keep an eye on both inbound and outbound traffic on your network.
- Implement access controls to limit potential exposure. It’s not so much a matter of “if” but “when” something’s going to go wrong. By limiting access to vital systems and data through strong access controls, you’re limiting your risk of exposure in the even of a social engineering attack or data breach.
- Limit use of business computers to business purposes. Implement strict computer use policies that outline the types of activities users (such as your employees and contractors) can engage in when using company devices or networks.
- Require the use of a VPN when using company devices remotely. A virtual private network (VPN) is a great tool for companies worldwide. When properly configured, a VPN allows you to connect to networks and transmit data securely. It’s a particularly great resource for companies whose employees are frequently on-the-go or are working from home due to COVID-19.
- Roll out and enforce other cybersecurity policies. There are many other types of security-oriented policies you can implement, including a BYOD policy, social media policy, file-sharing policy, etc. But as important as creating these policies is, it’s even more important that you enforce them.
- Implement passwordless authentication measures. Using strong, unique passwords should be the minimum for account security and authentication. But you can take your authentication to the next level with passwordless authentication options like multi-factor authentication (MFA) and certification-based authentication.
- Keep your devices’ software, firmware, and operating systems up to date. It’s easy to procrastinate on implementing updates and patches. But every hour that you wait to roll out those critical updates is another hour that your business is vulnerable to cybercriminals who want to exploit those vulnerabilities. Setting automatic updates can help with this issue.
Meet the Experts
Alright, it’s time to virtually acquaint yourself with the experts in the article on what is cyber security all about. To make things easy, we’ve listed these experts in alphabetical order according to their last names:
Almi Dumi is the Chief Information Security Officer (CISO) at eMazzanti Technologies. He previously served as the company’s Senior Network Architect and Team Lead.
Iyana Garry, a cybersecurity researcher who has worked in the IT field for more than five years. She’s also a security, automation and cloud enthusiast.
Todd Gifford is the CTO of Optimising IT. He has more than 20 years of experience in IT and 12 specifically working in infosec positions. He’s also a CISSP and ISO27001 lead auditor.
Greg Scott is a long-time cybersecurity and technology professional and author. He works for the world’s largest open-source software company and spends his free time writing novels and researching cyber attack methods.
Jeremy Haas is the Chief Security Officer and Senior Vice President of Analytics at LookingGlass Cyber Solutions. He’s a cyber security expert who spent 14 years at the CIA’s Center for Cyber Intelligence and previously worked at the U.S. Air Force’s Information Warfare Battlelab. Additionally, he holds CISSP and CEH certifications.
Ron Harris is the Vice President of Omega Computer Services. He has more than 15 years’ experience in the industry and previously served as an IT director at an insurance company.
Greg Kelley is the Chief Technology Officer and a founder at Vestige Digital Investigations. With 20 year of experience working in the computer industry, his work has touched on everything from network management and security to disaster recovery and end-user support. He’s also an Encase Certified Examiner (EnCE) and a Digital Forensics Certified Practitioner (DFCP).
Jovan Milenkovic is a tech and safety expert who co-founded AhoyGaming.
Eric Mintz is CEO of Em Squared, a custom software solutions firm that deals in end-to-end business automation and IoT development & integrations. He’s worked for multiple Fortune 500 companies, is a published author, and has more than 30 years of tech knowledge.
Jason Resch is the founder of AlwaysAsking.com, a computer scientist, inventor, entrepreneur, and a published author. He’s also a cryptographer who has presented at conferences (ACM, Usenix, and the National Institute of Standards and Technology (NIST) on cryptographic topics, as well as on YouTube. He’s worked with renowned cryptographers at IBM research and has hundreds of patents on secure data storage. He has invented quantum-secure protocols and algorithms, and also has written open-source software for threshold cryptography and cryptocurrency.
Kenneth Underhill is an award-winning business consultant, entrepreneur, and cybersecurity leader. He’s also the executive producer and host of Cyber Life, a TV show that will debut in 2021.
Pieter VanIperen is a managing partner at PWV Consultants. He’s a 20-year software architect and security expert who holds multiple industry certifications — CPTE/CEH, CSWAE, CNFE, CCSO, CIHE, and CISSO. VanIperen also has co-founded multiple companies and served as a consultant and trusted advisor for others
Joshua Weiss is the CEO of TeliApp, a web hosting, IT and cyber security services firm.