The Challenge(s) of Cyber Security
Written by Richard Knowlton, Digital Resilience Advisory Board
Usually when faced with a real and present danger, we have a pretty good idea of how to react, even it’s only by running away.
So why does cyber-security seem to be such a difficult issue for us? Why is it, for example, that only 57% of UK Boards have a clear understanding of the potential impacts of a serious cyber-incident on their business?
There is obviously no simple answer, or we would have cracked the problem by now. I think that the following are some of the factors that continue to hold us back.
Nobody’s sure what “cyber” actually means.
Well, I have some sympathy with that view. It all sounds uncomfortably close to cyborgs (and I had to look that up too). We all use the word with confidence and it’s spawned a myriad of compounds (-risk, -space, -security and so on), but press the average punter, and I’m sure that their eyes will glaze over (see my second point).
By the way: some of us have tried to replace “cyber” with “digital”. Same difference, unfortunately. In any case, it is too late…
It’s just for IT “nerds”
The nerds don’t help us — or themselves — here. They want to own the territory, and they can take a delight in making it as inaccessible as possible to everybody else.
This is not to denigrate the role of IT specialists whose expertise is an essential component of managing cyber-risk. But I strongly believe that it’s a fundamental mistake to see cyber-security as a purely technical, operational issue that is the sole responsibility of the IT function. There are several reasons:
- Competence. Many (I would say the great majority of) successful cyber-attacks exploit human vulnerabilities and behaviours. These are not issues which management can just leave to an IT department.
- Impact. While IT is clearly incredibly important in the modern business, it usually remains a “back-office” function several layers away from strategic business decisions. As a result, it often struggles for resources and budget.
- Influence. If your company regards cyber-security as a purely IT responsibility, then the rest of the business will not regard it as their problem. This inhibits critical analysis of security issues across the organisation, and inevitably hampers the implementation of your security strategy.
It’s just too complicated
Modern consumers want their devices to be as simple and fast as possible. Unfortunately, those are not the first words that come to your mind when you hear the word “security”.
And the modern digital world is complex. Even in smaller businesses, you may use a variety of different devices, programmes and network services. If you work in a bigger organisation that has grown quickly through acquisition, you will have significant issues around the secure integration of different legacy systems and software. This complexity is a problem in itself for security executives, and it also feeds a paradox.
Many companies simply do not see security as a business priority: it only adds delay, cost and complexity. Meanwhile, the hackers need only a small investment of time and money to get a substantial return on investment. And their chances of being caught are vanishingly small.
Let’s just get on with it
The digital world is rolling out at breakneck speed. Even if it was their top priority, many businesses would struggle to be as fleet-footed in security as the hackers are at breaking it down. Meanwhile, modern business techniques, like 24/7 external access to data or complex international supply chains, greatly improve profitability.
The pressure to go with that profitable flow is intense, but many organisations still do not understand just how far they are increasing cyber-risk if their security strategy is not carefully thought-through and applied intelligently.
The bottom line…
Hackers will almost certainly get inside your systems if they want to — even if they are not that sophisticated. So, is the situation is hopeless?
Most successful cyber-attacks rely on poor discipline and processes in the target organisation — to the extent that employees, sub-contractors and others with access to your IT systems probably pose a much bigger potential risk than an IT failure.
We know some of the basic “hygiene” rules, but in a pressured environment, it is easy to forget them. Or more usually they have not been taught in the first place.
The good news is with systematic and imaginative awareness training, companies really can drive down risks from the human factor.
Look at how seriously health and safety is now taken in the UK. A company that insists that security is at least as important as health and safety will be in a much better position to defend itself against cyber-attack.
Originally published at digileaders.com on September 4, 2017.