Cyber crime will cost you unless you take the right actions
What you don’t know about cyber crime will cost you. It may initially cost you lost productivity, but that could quickly escalate into lost opportunities because your customers lose trust in your ability to protect their best interests, or it could end up costing you your career.
Cyber crime affects your organisation – your employees, your business partners, your customers and your shareholders. Above all it affects you. Company directors and executives have lost their jobs in the past because of cyber crime.
Yet it doesn’t have to be this way. A change in the way cyber crime is perceived and how to address it can significantly reduce the impacts it has on your organisation.
By understanding the following seven myths you will gain the knowledge to properly address cyber crime and reduce risk, gain operational efficiency, a return on investment and a competitive edge.
Myth #1 – Cyber crime is an IT problem
Long gone are the days when computers were used only by those with lab coats. We have even advanced past the days when computers looked like this one, here, during times when Bill Gates had a distant vision of a computer on every desk. Thanks to the e-commerce revolution that transformed the Internet from the research and academic network into a mainstream platform on which business now lives and relies upon.
Now everyone in your organisation uses computers and they simply can’t function without them. Everyone from finance, to HR, to marketing and even janitorial services. Cyber criminals need only target your business-critical technology platforms to cause major disruptions and productivity loss – all of which are impacts to the bottom line of your organisation.
Myth #2 - New technology will solve the cyber crime problem
This myth is best explained with an analogy. Let’s go back 500 years to a time when this man here, Christopher Columbus, changed the way we thought about the world. Europeans only knew about the land masses that were connected to Europe. But what was stopping them from discovering the rest of the world? It was not a lack of technology; they had ships. Prior to the 16th century, although early philosophers and astronomers had suggested that the world was a sphere; it seemed preposterous. This was more than 170 years before Newton and his universal law of gravitational attraction. Limiting beliefs created a culture that prevented sailing too far and, once removed, this enabled the rest of the world including the poles to be explored and we even decided to tackle going beyond Earth and conquering the solar system.
Cyber crime is not solved with simply by acquiring new technology, but with a new belief. That belief is that the right culture must be fostered then communications, processes, people and, finally, technology can be used as an enabler; not a crutch as it tends to be used today.
Myth #3 – We just need to get better at stopping all cyber threats
Prevention is better than cure; that’s what any doctor will tell you. We can not, however, prevent every disease. Cancer, for example, still mystifies us in many ways. Cyber crime, best thought of as the cancer of the digital age, also mystifies us and prevention is not always possible. When prevention fails, as is increasingly the case with hundreds of thousands of new cyber threats every day and, optimistically, a 30% prevention rate this leaves your organisation in a highly reactive state
Prevention needs to be part of a layered defence; and this is not a discussion around layers of prevention here such as firewall, intrusion prevention, and anti-malware; but layers of activity:
- Discovery and remediation of vulnerabilities
- Prediction and prevention of threats
- Detection of and response to attacks
- Disclosure of and recovery from breaches
Myth #4 - We can deal with threat prevention failure as it happens
The failure of threat prevention may not seem that big a deal. Your IT team is most likely thinking they will just deal with those failures as they occur. This rather reactive and spontaneous approach to managing incidents though is not sustainable and is preventing your organisation from developing a more strategic approach to tackling cyber crime and achieving scalable and consistent results. The worst part is that the way your organisation manages the ever-increasing saga of threat prevention nowadays is like firefighting, but given the pervasiveness of cyber crime, it is more like fighting a bushfire than spot fires.
There is a well-known quote “In times of peace prepare for war.” There is no better time to perform a stock take on your assets and review these for vulnerabilities than at times when the warfront is quiet. This is also the perfect time to think about the threats that could harm you; which of these could progress to attacks, and then breaches. Finally, this is the time to be thinking about the real impacts these could have on your organisation.
Myth #5 - We are not a likely target for cyber criminals
It truly is amazing how many company directors and executives believe that their organisations have nothing of value. Being too small, too far from the source of cyber threats, or not being a bank or military operation does not make your immune to cyber crime. Information is the new currency and we all have some information of value. That makes each of us a viable target.
The very fact you have a name and a date of birth is enough to make you a target for identity theft. Add to this your intellectual property that your competitors would very much love to get their hands on and it is impossible to deny that cyber criminals would not hesitate to take what you have.
We may be remote geographically, but digitally, we are only seconds away from the rest of the world and that makes Australian organisations good targets for cyber criminals. Australia has had sizeable attacks; it is just that most go unreported.
Myth #6 - We can’t afford to invest in top notch cyber security
The Pentagon had made a huge investment in some of the world’s best security, yet a plane penetrated it. The NSA had some of the smartest technical minds on the planet, yet a man walked out with deep dark secrets that made the NSA look more like the Mickey Mouse Club rather than an intelligence agency.
No matter how many dollars or brain cells we throw at trying to stop cyber crime, it will prevail. The key is to realise that a layered approach is necessary and that some threats will get through and become attacks and some attacks will ultimately result in breaches with undesirable impacts.
It is how your organisation invests the money it has at its disposal in that layered approach which is key; not how much it invests. This means that you have just as much chance, if not more, as the biggest banks or defence, to make cyber crime one of your organisation’s least concerns.
Myth #7 - If we persevere with cyber security we will eventually win
This may seem like doom and gloom, but we can assure you that it is not. It comes down to a simple, shocking, and little known fact about the way in which your organisation and virtually every other organisation around the globe attempts to combat cyber crime. Cyber security is not the solution to cyber crime. Persevering with cyber security is futile.
Look at the definition of “security” which is to be free from the threat of danger. It is a premise built on preventing threats to make you feel safe. Threat prevention is not always possible, though. Cyber criminals will find ways to get to your information regardless, and cyber security fails even if 499 out of 500 threats have been thwarted. All it takes is one to succeed and cyber security fails. Would you trust a bank vault which only 0.01% of the population can break into? Would you call it a “secure bank vault” the moment someone broke into it?
The solution to cyber crime is cyber resilience. “Resilience” is defined as being able to adapt even in the face of adversity.