Risk Management is a Board Problem Now

As the construction sector becomes increasingly digitised it faces new challenges. Andrew Taylor, CEO of BronzeyeIBRM talks about risk management and its role in tackling cybersecurity…

“It is not the strongest that survive, nor the most intelligent, but the one most responsive to change”.

        Charles Darwin

Risk management is now top of the board agenda

With business interruption, reputational damage and cybercrime being their top 3 concerns, boards are acutely aware that they face highly resourceful cyber criminals. It should be clear too, that law enforcement agencies are broadly overwhelmed by the scale of the cybercrime battle. 

Cybercrime everywhere is classified as a ‘Tier 1 Strategic Threat’. It joins terrorism, international military crises and major natural disasters to create the ‘Three Horsemen of the Potential Business Apocalypse’. The exponential rise of computer based crime and its global nature has created a virtual tsunami of risk. New laws seek to force businesses to raise their defensive game. These laws come replete with revenue-based fines and personal liability for those in control functions. Bilateral cross-border jurisdictional agreements are becoming the norm – so best you know where your liability lies. The US is particularly aggressive about chasing foreign miscreants. Criminal convictions and jail time are now real possibilities for those who are negligent with data in their custody.

The problem(s): Cybercriminals seek vulnerabilities and not just those in your technology. Any vulnerability will do. They, like the rest of us, are motivated by risk and reward and follow the money. 

Language: Gobbledegook. That mystical cyber language – endpoints for devices and sockets for connections, for example – appears intended to confuse deliberately.

Endless acronyms: BYOD, AFH, 3DES…. add to impenetrability.

Use of language: ‘Cybersecurity’ when they mean ‘Information Security’ – this might seem pernickety, but say ‘cyber,’ think ONLY ‘cyber’ – which is what vendors want. That’s like starting the alphabet at F and finishing at R! The front and back are missing. But they have got lots of technical cash-cows they want to sell you. Just remember, your threat begins long before you get anywhere near a computer. If a compromise occurs outside of your security perimeter, you may never know.

Secrecy: Victims are desperate to avoid reputational damage so keep quiet whenever they can. Frequently, police and regulators are not informed of a breach. Maybe only 5% – 10% of breaches ever become public knowledge, masking the true scale of the problem and fuelling ignorance based complacency.

Vendors: Cybersecurity vendors issue propaganda and then sell expensive ‘solutions’ into it. These solutions may have been developed with poor inherent security. So then they sell expensive fixes to patch the holes they created in the first place. A complex ecosystem has evolved around this merry-go-round. What their expensive sales force won’t tell you is that there is much that you can do to defend your data before you need to invest in expensive technical solutions.

Too small to be of interest: Many companies convince themselves they have nothing of value to hackers. Bad luck, ALL data has a value, and ALL companies have something which will interest cybercriminals. NO-ONE is too small to be of interest.

The rules do not apply to us: For now, regulators are focused on financial/critical infrastructure companies and new laws are primarily aimed at them. As many as 4 in 5 data breaches in larger companies originate in their supply chain. Suppliers are a constant source of cyber infection and reinfection. New regulations will put pressure on companies and we know that nasty things roll down hill – they will mitigate their risk by insisting their suppliers’ cyber security is up to speed.

What to do?

In a recent survey, 2% of respondents indicated they would sell their company’s data for as little as $10. At $1,000, 15% would.

Criminals are offering $20,000 for Google employee logon credentials, we hear. Google invests much effort in its own security, but it is impossible to make any system totally impregnable. Impossible. Even for Google. Someone, probably several, in Google’s c.20,000 workforce will sell. Success will buy the criminals a goldmine. $20k will look like an absolute bargain – and don’t let the $ sign fool you into thinking it doesn’t happen here too. 

Like cars and guns, computers are not intrinsically dangerous. IBM recently said that 95% of breaches involve human error (or malicious act). This is known as the ‘insider threat’ and it is absolutely the biggest threat to ALL companies.

A well constructed governance regime, proactive management and a good education and training programme, which should be at the heart of any Information Security efforts, will help to counter the ‘insider’ threat and ensure a significant lowering of the general cyber risk. In the process, you will create many more trained eyes working on your security efforts. All of this will improve crisis management capability. All positive stuff.

In conjunction with a comprehensive threat assessment which draws together all aspects of your risk (physical, cyber and governance), you can then concentrate on creating a robust, cost effective, IT security solution. Any acquisition of potentially expensive technology will only be actioned in response to a measured and genuine threat. Strong governance enables a Board to create an effective ‘Information Security’ culture throughout the entire organisation.

Think human, BEFORE you think cyber.

Think security, NOT compliance.

Be Cyber Sure.

Andrew Taylor

CEO of Bronzeye IBRM

BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.