Effective cybersecurity is hard. And complete cybersecurity is impossible. In fact, in many cases, the whole subject is so difficult that it risks being pushed aside to be dealt with later.

An exaggeration? Well if you look at any high-profile incident, then it's pretty easy to pick out the common factors and use them as a starting point for an effective approach to cybersecurity.

Above all, it's vital to begin with the basics. Many security incidents happen because simple things weren't done; users weren't aware of threats, vulnerabilities weren't patched, risks weren't analysed and processes weren't created. Or if processes existed, they weren't followed.

This sounds easy but, in fact, establishing an effective governance structure and ensuring it is used, reviewed and updated is exceptionally challenging. Which is why so often it doesn't happen.

So the first step towards success is understanding and accepting that this isn't easy, that it won't just happen and that effective cybersecurity is a continuous and sometimes laborious process.

It's also not an exaggeration to say that complete security is impossible; there are just too many variables to make that realistic. So the starting point must be to try to stand back, look at your organisation and identify what is most important. Even this isn't as easy as it sounds; for example, financial institutions might (and, in fact, do) prioritise some elements of their activities over others.

Once you've carried out this process, you need to analyse the potential threats you face. Who might attack you? How? What might their motives be? This is usually called threat analysis and it's based on well-defined models that allow a comprehensive threat matrix to be created. That’s not jargon; it’s simply a way of putting some structure on the risks you face.

Alongside this you need comprehensive policies and standards that set out the procedures and processes your company and users should follow. Again, this isn’t just for the sake of compliance or to tick some boxes.

According to the World Economic Forum, 95% of security incidents involved some form of human error. The point of effective policies is to set out principles and best practices to help users avoid making mistakes.

That means they are living documents requiring regular reviews and updates. And you have to make sure users are familiar with them, understand them and, above all, are actually following them. For example, you might want to have a condensed version of your key policies that can be used as an aide memoire.

So you can see why, although technology provides the structure, it’s people who have to take responsibility for keeping it safe. Effective security design will provide defence in depth; it won’t depend just on keeping attackers out but will adopt a layered strategy that protects and backs up your data while proactively detecting attacks.

But none of that is any use if the people part of the equation isn’t working properly. The strategy has to be followed and people have to understand the threats to the business. IT staff have to make sure patches are installed, user groups are administered effectively, authentication is effective and privileges managed. Again, this is a continual process not an annual compliance exercise and so it requires auditing, testing and communication.

Yes. Cybersecurity is hard and you do have to accept that attacks will happen. But that’s all the more reason to invest in keeping your company safe.

Avoid complexity and focus on the basics; identify what’s valuable, analyse the risks, create effective policies and talk to your staff. Together, this will create a solid foundation not just for your information technology but for your business as a whole.