Don’t be fooled by ‘best practice’: why too many organisations fail to implement the right cyber security measures

The business sector excels at creating words and acronyms that become an accepted part of daily business-speak. In many cases, these words become meaningless over time, used as space-fillers by people who think they sound smarter if they use certain buzzwords.

‘Best practice’ is one key example of a word that has lost its meaning over time. When it was originally coined, it referred to a way of doing things that would yield the best possible results and avoid unnecessary effort or spending. Now, ‘best practice’ is really used as an excuse for not thinking more deeply about how to approach something. Just because the industry has deemed something ‘best practice’ is good enough reason for many people to adopt it without asking any further questions.

This can be dangerous when it comes to cyber security, as malicious attackers are becoming more sophisticated and are often funded by organisations with deep pockets. The threats are evolving as fast as security organisations can find new ways to combat them.

In the right context, ‘best practice’ is ideal. If the best practice has been well-considered and thoroughly researched and tested, then it makes sense for organisations to avoid reinventing the wheel, and go with the ‘best practice’ recommendation. The danger arises when ‘best practice’ was actually best practice two years ago, or hasn’t been thoroughly tested against all current cyber risks.

The ongoing game of cat-and-mouse isn’t likely to ease up soon, since organisations are only becoming more digitised, not less. This means there will be more useful information up for grabs for smart hackers.

Instead of accepting ‘best practice’ recommendations at face value, we recommend considering various types of security measures and approaches based on critical information including: the level of risk faced by the organisation; the potential consequences and costs of specific types of attacks; and the amount of resources the organisation is willing to devote to cyber security.
The purpose of cyber security is to reduce business risk, both for the business and for any potential customers and partners. In the past, ‘best practice’ security measures often meant businesses were hamstrung; they couldn’t adopt the business applications they wanted to use because their security tools deemed them too risky. Or it would take days to authenticate new users. Or emails would be held up in quarantine.

For businesses to unleash their true potential, it’s essential that security measures protect the business without getting in the way. For some organisations, that may mean they’re willing to accept a certain amount of risk in favour of operating more freely. For others, it may mean stricter protocols are necessary.

Engaging an external security expert can be invaluable, since most organisations don’t have the internal resources to keep up with ever-evolving threats. Security consultants can offer a clear understanding of the risks a company faces and how to proactively protect against those risks.
If you would like more information, don’t hesitate to contact us.