Cybersecurity – Risk Management Crashes the Boardroom

Many companies will convince themselves they have nothing of value to hackers. Bad luck, all data has a value and all companies have something which will interest cybercriminals.

“It is not the strongest that survive, nor the most intelligent, but the one most responsive to change”.

Charles Darwin

Risk Management Is Now Top of the Board Agenda.

With business interruption, reputational damage and cybercrime being the top 3 concerns, they know they face highly resourceful criminals and law enforcement agencies that are overwhelmed by the scale of their task.

Cybercrime everywhere is classified as a ‘Tier 1 Strategic Threat’, sitting alongside terrorism, international military crises and major natural disasters. The exponential rise of cybercrime and its global nature has created a virtual tsunami of risk. New laws seek to force businesses to raise their game. They come replete with revenue based fines and personal liability for those in control functions. Bilateral cross-border jurisdictional agreements are increasing – so best you know where your liability lies. The US is particularly aggressive about chasing foreign miscreants. Criminal convictions and jail time are now real possibilities for those who are negligent with data in their custody.

The problem(s): Cybercriminals seek vulnerabilities and not just those in your technology. They work on risk/reward and follow the money.

Language: Gobbledegook. A mystical language (e.g., endpoints and sockets for devices and connections) appears intended to confuse.

Endless acronyms; BYOD, AFH, 3DES…. add to impenetrability.

Use of language: ‘Cybersecurity’ when they mean ‘Information Security’ – this probably seems pernickety, but say ‘cyber’, think ONLY ‘cyber’ – which is what vendors want. Just remember, your threat begins long before you get anywhere near a computer. If a compromise occurs outside of your security perimeter, you may never know.

Secrecy: Victims are desperate to avoid reputational damage so keep very quiet whenever they can. Frequently, law enforcement agencies are not informed of a breach. Maybe only 5% – 10% of breaches ever become public knowledge, masking the true scale of the problem and fuelling ignorance based complacency.

Vendors: Cybersecurity vendors issue propaganda and then sell expensive ‘solutions’ into it. These solutions have often been developed with poor inherent security. Then they sell expensive fixes to patch the holes. A complex ecosystem has evolved around this merry-go-round. What their expensive sales force won’t tell you is that there is much that you can do to defend your data before you need to invest in expensive technical solutions.

Too Small to be of Interest: Many companies will convince themselves they have nothing of value to hackers. Bad luck, ALL data has a value and ALL companies have something which will interest cybercriminals. NO business is too small to be of interest.

The Rules Do Not Apply to Us: For now, regulators are focused on financial/critical infrastructure companies and new laws are primarily aimed at them. Nevertheless, up to 80% of data breaches in larger companies enter through vulnerabilities in their supply chain. Suppliers are a constant source of cyber infection. Regulated companies will pass these legal requirements on to their suppliers.

Andrew Taylor

CEO of Bronzeye IBRM

BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.