Cybersecurity is big business. It impacts industry and individuals alike and doesn’t discriminate. Last year, Verizon reported that 71% of breaches were financially motivated, 25% came from espionage, and 21% were caused by human error. Unsurprisingly, according to Gartner, spending continues to rise and is forecast to reach $133.7 billion by 2022. Furthermore, from 2019–2023E, approximately USD 5.2 trillion in global value will be at risk from cyberattacks.
Whilst this is concerning, when talking to executives outside of security, like I did on a recent masterclass with Nowcomm, it’s vital they understand of the following:
1. All attacks are not sophisticated.
Hackers don’t reinvent the wheel for every attack they execute. These days, hacking as a service is cheap. It starts at just USD 5 per hour, USD 30 per day, or less. Attacks are automated whenever they can be, and the methods bad actors use are mostly similar, if not the same.
2. Hackers don’t purely target big businesses.
They target low hanging fruit. They follow the money trail. That’s businesses that believe they’ve invested enough in cybersecurity (but haven’t) and/or are overconfident and think they won’t be targeted (but are). Last year, according to Verizon, 43% of cyberattacks targeted small businesses.
3. Hackers are creative, adaptive, resourceful, and business-like.
They make guarantees, offer support contracts, and will find a way into your organisation. That could be through common hacking techniques like phishing, bait and switch, cookie theft, deep fake, password cracking, social engineering, and so on. It could be through your organisation, directly, or through your supply chain. According to Gartner, 60% of organisations are now working with more than 1,000 third-parties. That’s why no matter how big or small your organisation is, it’s really only a matter of time before you’ll be breached, or you discover you already have been. IBM found that the average time to identify a breach in 2019 was 206 days. This doesn’t include the time it then takes to rebuild what was lost.
4. Human error causes many data breaches.
The figures vary with Verizon reporting 21%, IBM reporting 24% and Cybsafe reporting 90% in 2019. Given the remote working and flexible working status globally, the successful cyberattacks into home networks, reaching vulnerable home workers on unsecured devices is on the rise.
5. Security intelligence comes with a high pay off.
When Accenture analysed 9 cutting-edge technologies that are helping to reduce cybercrime, and calculated their net savings: the total potential savings minus the required investment in each type of technology or tool, they found the figure amounted to almost USD 2.3 million.
Data is a strategic asset for any business and any hacker, so when it comes to protecting an organisation from cyberattacks and compliance failures, one of the most common problems I see is the ability of leaders to identify the risks they face, as well as evaluating, communicating, and tackling them in a timely fashion.
This was something I discussed in a masterclass I chaired with Nowcomm co-founder James Baly and head of services Kevin Prone, as well as future of work expert, Perry Timms, which you can still get access to here.
There are several reasons why. Here are my insights.
Often, I see a tendency to deal with risk management as a compliance issue that can be solved by creating lots of rules and ensuring employees follow them. Typically, this way is supported by the media, regulators, investors, training companies and certifying bodies. However, whilst having rules and security policies is a sensible thing to do and can lower some risks that could weaken an organisation, rules alone won’t reduce the likelihood or eliminate the impact of all misfortunes.
Compliance and security are not the same thing.
Compliance is all about protecting your organisation’s reputation and making sure you won’t be sued, fined, or subjected to other penalties. It’s about making sure your organisation complies with the various requirements it needs to. Cybersecurity, on the other hand, is about safeguarding information assets from damage or theft. Both share the same goal – to reduce risk – and both design, establish and enforce controls to protect an organisation. However, both have very different drivers and actions. And whilst they may overlap, compliance with common cybersecurity standards can disguise some very weak security practices.
Most organisations don’t define what risk means to them, which ironically is a threat. You see, risk is an abstract concept, and as it affects our lives 24×7, when you have a clear definition of what it means to your organisation and have a culture of security awareness embedded, it enables you to ask better questions around your business practices and how you operate. You can then challenge assumptions and get superior collective outputs. It puts you in a better position to ascertain which strategies you’ll use to accept, avoid, transfer and limit risk.
Numerous studies have documented how men and women gauge risk differently. It’s something I wrote extensively about in my book, IN Security. It turns out that men are substantially more overconfident than women. Typically, men will overestimate their ability to influence events that come about due to chance. Men will be overconfident about the accuracy of their forecasts and risk assessments, and too limited in their assessment of the range of outcomes that may occur. As a result, they’ll take on more risk.
Confirmation bias, further compounds the problem. This happens because of our individual beliefs and when we’d like something – like an idea, concept or event, to be true. It drives us to be non-partial, to favour information that supports our views, to stop collecting information when the evidence confirms those, or to discount or suppress anything that doesn’t. It also causes us to become even more committed to proving we’re right (when we’re not), andtofoolishly directing even more resources into doing so.
Extensive behavioural and organisational research has revealed how dangerous cognitive biases can be, for they block us from thinking about and discussing risk until it’s too late. They breed cultures of groupthink, too, which are more heightened when teams face uncertain or challenging times, like now. Or, when a team is led by an overly dominant, confident, closed minded or arrogant leader. Here, once an idea or action has gathered support within a group, individuals with objections, however valid, will suppress them and follow the common group stance.
These biases show how easy it is to misinterpret, underestimate, overlook and essentially incubate risk, and why risk management must counteract these biases.
There are many different ways of approaching risk in cybersecurity, for example a system approach and a component approach, and the UK NCSC has an excellent resource guide to up level all. No matter which approach you use, there are different standards and frameworks (like NIST and FAIR) to help you. But know this. Whilst managing cyber risk does require you to use risk management standards and frameworks, it’s not a case of using one over another. One size does not fit all. They shouldn’t exist in isolation. They need to suit your culture.
Engaging with experts, outside your organisation, can have a profound effect on managing risk successfully, especially if they don’t all come from cyber. By having a risk review board to act as devil’s advocates it can reduce blind spots and force you and your team to think in advance about how you’ll describe and defend your decisions, and whether you’ve sufficiently considered the risks. It requires strong leadership, an out-of-the-box thinker and someone who is open-minded. Not every leader has a stomach to champion a practice that could identify the risks in the strategies that they’ve helped to formulate.
Effective risk management requires a certain type of culture. Ideally, you want a diverse team filled with individuals who aren’t just capable, but who are also humble to learn. When you work with some of the best professionals, who might have gone to top schools and universities, sometimes you’ll find they won’t always have experienced many failures there. Or, they might have been brought up in environments where failure was penalised. Therefore, one of your biggest challenges can sometimes be in establishing a new risk culture – one where you can get your teams to feel OK about failure and have open discussions about what could go wrong with their “brilliant” ideas, processes, or designs.
Psychological safety is key to top performance in any industry, but as cybersecurity has such a strong blame culture, it’s vital we make this shift. Leaders must ensure their teams know when they can challenge strategy, project design, risk assessment and risk mitigation decisions, and help them to feel safe when they do. This bridges the gap between operations and culture.
Risk and strategy are very different beasts. They exist at both ends of the spectrum. Risk management focuses on the negative—threats and failures, whereas strategy management focuses on the positive—opportunities and successes. To build an organisation that aspires to be more than conventional and realise as many good opportunities as it can, clearly you need to be managing both well. Only by ensuring you’ve got the right combinations of people, processes and technology can you do this.
Now I want to hear from you…
- Please share with me your insights for managing cyber risk.
- Then, seize an opportunity. Gain more insights on cyber risk and ensure you’re managing it appropriately. Register for the masterclass I chaired with future of work expert Perry Timms, and Nowcomm co-founder James Baly and head of services, Kevin Prone. Nowcomm is a specialist in networking, collaboration, and security technology solutions and when you sign up for this FREE masterclass between now and October 31st, 2020, you’ll also automatically receive a 50% discounted NIST security assessment.
Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this #ad for Nowcomm. Because your success is important to me, I only align myself with brands I believe in, and Nowcomm is one of them.