Businesses should be wary of adopting cyber security measures just because they are considered “best practice,” as this can lead to complacency and a lack of adequate protection.
When it was originally coined, the phrase “best practice” referred to a way of doing things that would yield the best possible results and avoid unnecessary effort or spending. Now, “best practice” is often used as an excuse for not thinking more deeply about how to approach something.
This can be dangerous when it comes to cyber security, as malicious attackers are becoming more sophisticated and are often funded by organisations with deep pockets. The threats are evolving as fast as security organisations can find new ways to combat them.
The ongoing game of cat-and-mouse isn’t likely to ease up soon, since organisations are only becoming more digitised, not less. This means there will be more useful information up for grabs for smart hackers.
Using a “best practice” defence from even one year ago isn’t going to cut it against today’s cyber threats. Being wedded to “best practice” without examination can make it difficult for businesses to move quickly enough in the face of an attack.
Instead of accepting “best practice” recommendations at face value, Aleron recommends considering various types of cyber security measures and approaches based on critical information including: the level of risk faced by the organisation; the potential consequences and costs of specific types of attacks; and the amount of resources the organisation is willing to devote to cyber security.
The purpose of cyber security is to reduce business risk, both for the business and for any potential customers and partners. In the past, “best practice” security measures often meant businesses were hamstrung; they couldn’t adopt the business applications they wanted to use because their security tools deemed them too risky. Or it would take days to authenticate new users. Or emails would be held up in quarantine.
For businesses to unleash their true potential, it’s essential that security measures protect the business without getting in the way. For some organisations, that may mean they’re willing to accept a certain amount of risk in favour of operating more freely. For others, it may mean stricter protocols are necessary.
Engaging an external security expert can be invaluable, since most organisations don’t have the internal resources to keep up with ever-evolving threats. Security consultants can offer a clear understanding of the risks a company faces and how to proactively protect against those risks.
When a consultant recommends using a specific solution because “it is best practice,” it’s useful to ask some questions around why they say it’s best practice, how the specific solution will help the business grow or solve an issue, and how success will be measured.