• Web servers and other public-facing systems face a completely different set of threats than end users and individuals?
• Employees, and their interactions with the outside world, represent your most significant and diverse threat profile?
• Virus protection is a tiny sliver in the vast array of tools available for your protection?
• A completely different set of tools and techniques are deployed for Application Security and for Data Security?
• Security planning can be broken down into Network, Data, Mobile, and Physical security policies?

1. I see the huge data breaches in the news. So cyber attacks only happen to big companies, right?

No - many attacks and data breaches happen to small companies, organizations, and government departments. A recent large cybersecurity conference featured a full-day workshop for small governments and non-profits. It can happen to anyone.

2. There are so many bad actors out there and such a wide and growing variety of threats. Has it gotten to the point where there is really nothing that can be done to avoid a successful attack?

Well, there is a LOT that you can do to keep your business and your data - and your customer’s data - safe. No one is 100% protected, but there are definitely best practices that can be followed which greatly reduce the likelihood of a serious security incident. In fact, many steps that you can take are very economical, and are sometimes referred to as the “low hanging fruit”. And with additional resources, there are many technical, procedural, and user-focused measures you can apply to create additional layers of protection.

3. Will developing defensive policies and testing our security disrupt our daily operations?

It should not be allowed to disrupt normal business functions. Yes, if you authorize active - rather than passive - probing, testing and scanning on live data, during business hours, using improper tools, there may be disruption. To avoid this we make smart choices and utilize safe practices to avoid damage, disruption, and confusion. And we also agree on a detailed plan ahead of time.

4. But this is really just an IT problem, right? Aren't they paid to protect our data and systems?

Information Technology teams are certainly involved in protecting assets like computers and sensitive data. However, good data security is everyone's responsibility, from top management down to every employee or contractor. Targeted user education, best practices, and common-sense planning can help create a "culture of security" that is the foundation for good data protection. It all starts with a customized, comprehensive Data Security Policy document.

5. After we engage in a one-time cybersecurity project, then can we get back to business-as-usual?

Almost all modern companies, departments, and organizations rely on connected technology to help them perform their mission. And with the growing threat landscape that changes every year, vigilance and revising plans and policies are an ongoing priority. There will never be a day when we can stop paying attention to the cybersecurity responsibility we all carry. There may be additional effort and resources deployed to create initial plans and guidelines, but recurring training, planning, and vulnerability testing are here to stay.