The problem is how to ensure that daily business is as secure as possible whilst maintaining the flexibility to respond to changing or unforeseen circumstances. Trading flexibility for rigid measures will neither assure security nor enhance business. However, abandoning security solely for the sake of that flexibility would be reckless in the extreme.

The introduction of incremental security can help many businesses large and small to develop or metamorphose their practices to promote a gradual development of workable processes and the seamless integration of appropriate technology. Even where security practices are already in place, it can be beneficial to start again from the beginning; adding, refining or replacing outmoded and missing measures.

The real trick is to recognise the point at which further measures add little value to the overall protection of the business, or at least that they extend beyond the value of its outputs and the amount of risk it is willing or able to take. A check of the measures in place can be achieved by audit against a recognised standard by a qualified individual, but the subjectivity applied to the results often yields either no clear assessment of effectiveness or a false sense of achievement. Although, it is still beneficial to have an impartial eye cast over security measures if an organisation wishes to hold itself up as an example to others.

Also, organisations who out-source often do not looking at potential providers’ security, or lack of it, to ensure it will not undermine their own. Having taken strong measures to protect information within the business, which becomes at risk when sent to a service provider, it is of paramount importance that both parties can understand and articulate their respective positions in relation to the security they provide and expect in return. Assurances are one thing, but verification of the very same policies and practices being present in both companies would be significantly better. Always remember the adage that “Trust is the absence of a control measure.”

Finally, the single biggest reason for systemic security failures in any organisation is the lack of support for the policies and procedures that make up the organisation’s security measures. This support is critical. The value of formulating policy and procedures and deploying technological barriers is lost if there is no firm commitment the executive body. Executive boards must ensure that they formally endorse and fund all policies at board level and demonstrate their own adherence to those policies. Successful spear phishing attacks are usually as a result of senior executives ignoring the procedures they impose on their staff or an insistence on having unnecessarily high level privileges on their IT system. As was mentioned at the beginning, security is a process, and one that requires all parts of the organisation to follow it.