Many of us have doorbell cameras or even complete security systems that monitor the access points of our homes. We have locks and alarm systems at our offices, maybe even cameras. But what about break-ins that happen regardless of doors or windows? When it comes to hackers, they know how to get into your offices, homes, and mobile devices without needing to penetrate any physical barriers. Yet, many organizations often don’t take any — or enough — steps to keep out cyber thieves until after they’ve been hit with a crime. And too often, they have suffered terrible losses, both financially and to their reputations.

Hacker knows best

According to former UK hacker Daniel Kelly (known as the TalkTalk hacker) who served four years in prison for his crime, “Speaking from personal experience, businesses only care after they’ve been attacked.” Kelly’s breach cost the company he targeted £77m and the loss of data for 150,000 customers. You can rest assured that company regrets their decision not to take extra steps to protect their confidential information earlier! But asking organizations to invest in protecting themselves from something that may never happen can be challenging. The mindset of “We’re very careful; it won’t happen to us!” is prevalent, even when not having every reasonable security measure in place. Because just being cyber “aware”, unfortunately, is not enough. Yes, cybersecurity awareness training is crucial. But you still also need to have other tools in place to combat the occasional human error.

You don’t know what you don’t know

First things first: Get a cybersecurity audit to find out what you need/what’s missing. A typical audit involves a systematic review of the security policies, practices, and controls of your organization. It aims to identify and address any vulnerabilities, risks, or gaps in the cybersecurity posture. Some common elements of a cybersecurity audit are:

• Vulnerability assessments of networks, systems and applications
• Monitoring of network activity to look for anomalies or signs of compromise
• Deploying tools to identify and block malicious access attempts
• Configuring a firewall to regulate the flow of traffic between different zones of the network
• Updating all software and hardware with the latest security patches and fixes to prevent any known vulnerabilities from being exploited

These are just some of the basic parts of a cybersecurity audit. If you want to be even more thorough, you can include things like incidence response and disaster recovery planning, employee training, and much more.

Don’t wait ‘til it’s too late!

So, heed the advice of a rehabilitated hacker: The time to protect your organization is now, not after you’ve been breached. Just as you [should] have a checkup with your doctor once a year to maintain good health, so too should your organization get a regular security “physical”.  Because what you don’t know can most definitely hurt you.