Managing cyber risk beyond the obvious
One of the most frustrating aspects of the cybersecurity landscape is the number of risk factors that are not visible at ground level, particularly those related to human factors.
As humans, the way we view, assess and manage risk is quite different across countries, regions, cultures, sectors, organisations, and even teams within the same organisation. Typically, risk management in cyber security has been focused on technical risk rather than business or human factors. The recent global surge in business disruption, caused by ransomware, in particular, is forcing organisations to adopt a business risk management strategy. This represents a challenge for the cyber security folks who are being asked to step into unfamiliar territory involving business decisions and understanding human and organisational psychology. In addition, many organisations are not even equipped with the required risk functions (enterprise, operational, IT and security) to develop resilient and secure cyber strategies.
Over the past decade or so, it has become the norm for organisations to provide basic education and training on “cybersecurity awareness” to all new staff and on an annual basis for all staff. This usually takes the form of 20-30 minutes of computer-based training (CBT) followed by a short test. This allegedly satisfies the perceived requirement to be able to evidence having provided adequate education and training on cybersecurity. Yet, a brief visit to the Information is Beautiful website, shows clearly that the number and scale of data breaches are growing. And data breaches are just one form of a cybersecurity incident. Is it unreasonable to assume, therefore, that the common approach to education is not working? We think so.
What happened to building healthy security cultures?
One of the challenges, of course, is that you cannot see a culture. Cultures are hard enough to describe, let alone visualise or change. The education and training issues are a symptom of a malaise that is endemic across the majority of organisations globally… the current tendency to view compliance as more important than performance when it comes to issues like the environment, social responsibility and governance (ESG), risk management, cybersecurity and diversity, equity and inclusion (DEI). But is it not impossible to change corporate or organisational cultures. In high-risk industries such as oil and gas, heavy industry, logistics, waste disposal etc, where the loss of life and serious injuries are a daily threat, safety culture has long been seen as an essential element of the overall culture of the organisation. Spot the people walking up and down stairs holding the handrail at all times and there is a good chance they work in a safe culture. Or they are just sensible. Despite the cries from sceptics of “health and safety gone mad” when restrictions are placed on an activity to make the people involved less prone to being killed when doing their jobs, the reductions in the number and severity of safety failures has dropped significantly in many parts of the world.
Are we being fanciful to find a link between these two issues – of safety and security? Of the need to embed security thinking in the minds of everyone in the organisation? Of the need to raise not just awareness but a deep understanding of the behaviours that will prevent or detect potential security events before they do too much damage?
Let’s face it, good habits are not formed by doing 30 minutes of CBT once per year. Habits create cultures, for good or bad. They need to be formed carefully and voluntarily, tended carefully and positively reinforced and celebrated constantly.
Some people think they are safe from attack because they do not see their computers as being very interesting. In fact, the thing that’s interesting about those computers is their lack of protection, allowing threat actors to take background control and use them to attack their real targets, or just sit around collecting usernames and passwords for online accounts which can then be sold.
So there’s no room for complacency; for thinking “it won’t happen to me”. Unless you have appropriate defences in place and gain some understanding of how to protect yourselves and your family and use online services safely, the chances are that, without wanting to seem hysterical, the compromise already has happened.
Beyond the illusion of fear
As humans, we instinctively fear what we do not understand, even to the extent of unconsciously refusing to see the threats that seem clear to those with more detailed understanding. In the realm of cybersecurity, the only constant changes, evolution, adaptation and innovation. We must all, specialists and non-specialists alike, be open to learning about new or changing threats as they appear at a growing rate which is already in excess of 500,000 new threats daily.
The way we live now, where everyone is glued to their screens, where social media is just part of everyday life for people of all ages and all demographics. How do you navigate cyberspace safely? How do we learn to keep ourselves and our dependents safe and secure, striking a balance between the joys of using the worldwide web and social media and keeping a sense of perspective and realism about the dangers, where fear is an important emotion? When we talk about what we don’t see, we hope to encourage you to really approach it from a mindset of trying to understand that everything that is unfamiliar makes us feel uncomfortable, and that is normal, natural and rational. The more we learn, the less mysterious the whole issue becomes and thus less frightening.
Nadja’s work focuses on the connections between cybersecurity and emotional intelligence. Not everybody sees the link immediately, but if you take the technology out of the equation for a moment, cybercrime, for example, involves one or more people trying to obtain something from one or more other people by deception, theft, or other illegal or unethical means. The technology is involved merely as a tool for enacting the illegal activity on a massive scale with little effort. Understanding how to build emotional and psychological defences against deception, fraud etc, not to mention also against trolling, bullying and other offensive uses of technology, can only be a positive thing for the cyber citizen.
Imagine your devices as your online homes. In your real-life home, you have locks on doors and windows, you have smoke and fire alarms, you have a doorbell or knocker to warn you when someone wants to come in. More sophisticated but still affordable defences include intrusion alarms, either stand-alone or monitored. These things are not considered unusual anymore, nor are the people who install them considered paranoid, it is just a healthy response to a known threat. The same kinds of defences can and should be activated for our online homes too – most devices from reputable vendors now have passwords, passcode or biometric locks as standard. Many provide intrusion detection and remote monitoring capabilities too. If you lose a device, if you have it set up correctly, you can find it and alert the authorities or wipe it clean and disable it to make it useless to the person who stole it. All without significant effort.
So here’s a fact for the sceptical. If you start up a brand new computer, and before you install or activate any defensive features or tools, connect it to the internet, in significantly less than one minute it will have been compromised.