Cybersecurity – Risk Management Crashes the Boardroom

Many companies will convince themselves they have nothing of value to hackers. Bad luck, all data has a value and all companies have something which will interest cybercriminals.

“It is not the strongest that survive, nor the most intelligent, but the one most responsive to change”.

         Charles Darwin

Risk Management Is Now Top of the Board Agenda

With business interruption, reputational damage and cybercrime being the top 3 concerns, they know they face highly resourceful criminals and law enforcement agencies that are overwhelmed by the scale of their task.

Cybercrime everywhere is classified as a ‘Tier 1 Strategic Threat’, sitting alongside terrorism, international military crises and major natural disasters. The exponential rise of cybercrime and its global nature has created a virtual tsunami of risk. New laws seek to force businesses to raise their game. They come replete with revenue based fines and personal liability for those in control functions. Bilateral cross-border jurisdictional agreements are increasing - so best you know where your liability lies. The US is particularly aggressive about chasing foreign miscreants. Criminal convictions and jail time are now real possibilities for those who are negligent with data in their custody.

The problem(s): Cybercriminals seek vulnerabilities and not just those in your technology. They work on risk/reward and follow the money.

Language: Gobbledegook. A mystical language (e.g., endpoints and sockets for devices and connections) appears intended to confuse.

Endless acronyms; BYOD, AFH, 3DES…. add to impenetrability.

Use of language: ‘Cybersecurity’ when they mean ‘Information Security’ - this probably seems pernickety, but say ‘cyber’, think ONLY ‘cyber’ – which is what vendors want. Just remember, your threat begins long before you get anywhere near a computer. If a compromise occurs outside of your security perimeter, you may never know.

Secrecy: Victims are desperate to avoid reputational damage so keep very quiet whenever they can. Frequently, law enforcement agencies are not informed of a breach. Maybe only 5% – 10% of breaches ever become public knowledge, masking the true scale of the problem and fuelling ignorance based complacency.

Vendors: Cybersecurity vendors issue propaganda and then sell expensive ‘solutions’ into it. These solutions have often been developed with poor inherent security. Then they sell expensive fixes to patch the holes. A complex ecosystem has evolved around this merry-go-round. What their expensive sales force won’t tell you is that there is much that you can do to defend your data before you need to invest in expensive technical solutions.

Too Small to be of Interest: Many companies will convince themselves they have nothing of value to hackers. Bad luck, ALL data has a value and ALL companies have something which will interest cybercriminals. NO business is too small to be of interest.

The Rules Do Not Apply to Us: For now, regulators are focused on financial/critical infrastructure companies and new laws are primarily aimed at them. Nevertheless, up to 80% of data breaches in larger companies enter through vulnerabilities in their supply chain. Suppliers are a constant source of cyber infection. Regulated companies will pass these legal requirements on to their suppliers.

What to do?

In a recent survey, 2% of respondents said that they would sell their company’s data for as little as $10. At $1,000, 15% would.

Criminals are offering $20,000 for Google employee logon credentials, we hear. Google invests much effort in its own security, but it is impossible to make any system totally impregnable. Impossible. Even for Google. The survey mentioned above suggests a reasonable possibility that one of Google’s c.20,000 workforce will sell. Success will buy the criminals a goldmine. $20k will look like an absolute bargain.

Like cars and guns, computers are not intrinsically dangerous. Around 4 in 5 data breaches are initially caused by human error (or, occasionally, a malicious action by an (ex)employee). This is known as the ‘insider threat’.

A well constructed governance regime, proactive management and a good education and training programme at the heart of any Information Security efforts will ensure a significant lowering of the general cyber risk and increase crisis management capability. In the process you will create many more trained eyes to work with your security staff. That has to be a good thing too.

Then you can concentrate on creating a more robust and cost effective IT security solution. Any acquisition of potentially expensive technology will only be actioned in response to a genuine need. All the above should be guided by a comprehensive threat assessment involving all aspects of the risk (physical, cyber and governance). Strong governance will enable a Board to create a comprehensive ‘Information Security’ culture and process throughout the whole organisation.

Think human, BEFORE you think cyber.

Think security, NOT compliance.

Think Be Cyber Sure 

www.becybersure.com