Cybersecurity is one of the great issues of our time. As organisations have become increasingly dependent on computer and data communication technology, the opportunity for thieves has grown. Couple that with the lack of national boundaries in cyberspace and the relatively low probability of being caught and the risk/reward ratio makes cybercrime much more attractive than taking a sawn-off shotgun into a bank. The “attack surface” grows all the time. By 2020, it is estimated there will be 4 billion people online and the Internet of Things will be up and running, interconnecting 26 billion internet enabled devices and thereby allowing a thief who can find an entry point to jump from device to device. There is also no sign of this growth of complexity ever stopping, so the opportunities for cyber-thieves will only increase.
Organisations are getting better at protecting themselves. Software updates are usually implemented quickly or automatically now, so vulnerabilities are blocked before the attacker can exploit them. Vulnerabilities usually occur because different modules within a large software system are written by multiple coders, with differing habits. No matter how well specified and tested the modules are, there will always be slight variations in the way things work because each person does things slightly differently. It is these small differences the thief is looking for.
Firewalls are better than they were. Most people have enough awareness to know they are exposed if they are not behind a firewall and most people have enough sense to run anti-virus software and keep it updated. Simple attacks are therefore mostly blocked by technology. A reasonable guess is that 99 per cent of attacks are blocked before they do any harm. But that would still leave one per cent of a large number that do get through. It is clear that technology alone cannot defeat cyber-thieves.
The cyber weakness
Thieves always turn to the greatest source of weakness – people. People are inconsistent. Some care about protecting themselves online, while others do not realise the dangers which exist. Some are cautious about opening email attachments, some are not and often live to regret it. A thief can exploit these inconsistencies and weaknesses. Business policies do not help, as when performance is measured on things like sales numbers, hitting deadlines and cost savings, there are rarely employee incentives for strong cybersecurity.
Outside the office, people are careless online in ways they would never be elsewhere. Social networks create digital footprints which are often impossible to remove or improve once they exist. It is not difficult for a researcher to move from reading Facebook personal information to researching the same person on Linkedin to find their professional profile, then to find their colleagues and find a way in, perhaps by emulating a colleague. Indeed, some people do this for a living, researching likely targets, finding all their personal details, before selling that profile, together with all the supporting information, on the dark web to criminals who will use it to steal from the person or their employer.
So how should an organisation approach the soft, people issues involved in cybersecurity? Perhaps the first recognition businesses should make is that people do not listen, do not pay attention and often simply do not do what they are told even when they do listen and understand. The ability to influence and persuade is more important than the ability to write procedures. Unfortunately, the soft human resources and psychology skills needed to approach the issue in this way are often not the skills possessed by the people responsible for cybersecurity.
Cybersecurity is generally seen as a part of the IT department. As such, it attracts IT professionals who understand and analyse issues before writing procedures to address them, but lack the necessary skills to train and persuade the professionals on the front line. Mandating does not work, but it is the way most organisations deal with the issue.
Time to take a stand
As far as cybersecurity is concerned, it often gets lost in the shuffle. Most organisations have poor management and auditing practices, weak or non-existent personal risk assessments and pre-employment screening. Simultaneously, communication between the arm of the business responsible for cybersecurity and the workforce is almost non-existent. Many managers regard cybersecurity as a nuisance they have to deal with, taking time away from what really matters in achieving their objectives.
It can be hard to generate a truly beneficial interaction between the people responsible for IT security and the rest of the organisation. People often do not like being told what to do, even when they listen. Relationships take a long time to develop and need a lot of nurturing but employees will respond and contribute if they are treated like adults and persuaded to build a culture of online security awareness. The key is developing everyday practices that help people feel secure online and, over time, developing a culture in which people implement those practices without resentment and without thinking about them.