The Colour of Cyber
What is cyber? Is it just IT? Is it computers, mobile phones, applications? Does it include information security, data protection, physical security, websites, emails, printed emails? If cyber cannot be clearly defined to your employees, then how can you expect them to secure it? Although the UK’s NCSC defines cyber security as “protecting the devices we all use (smartphones, laptops, tablets, and computers), and the services we access – both online and at work – from theft or damage”[i], there is no agreed upon definition published by an international body. A cohesive approach to defining ‘cyber security’ is required to reduce confusion around its scope.
Smoke and mirrors – Too much jargon
The cyber community often don’t help themselves… shrouded in mystery, filled with jargon to confuse their audience in an act of self-preservation, in turn, stunting the spread of understanding. Lack of knowledge, or worse, lack of wanting to understand, means people are likely to avoid the subject full stop. Burying heads in the sand only results in further negative effects when referring to cyber security. For example, not addressing vulnerabilities due to lack of knowledge about the problem, or the solution, will not make them go away, the vulnerabilities will just become bigger and more difficult to ignore.
The industry needs to settle on recognized terminology and cut jargon to a minimum if it’s to encourage others to take an active approach towards securing their cyber security space.
The Gamble – Risk v Reward
One of the hardest challenges that cyber security professionals must overcome is that the main purpose of most businesses is to make a profit. It can be very difficult to equate investment in cyber security with tangible returns. Hypothetical threats about the impact of breaches leading to fines, damaged reputation, and lost revenue, only go so far when trying to convince a Board to part with their money. This is particularly evident in the small and medium enterprise (SME) sector where budgets tend to be tighter and the investment with the least immediate return, typically cyber security, may fall down the list of priorities. How to ‘sell’ cyber security investment is one of the biggest hurdles for cyber security professionals.
Achilles and the tortoise – Where does it end?
The Achilles paradox states that a faster runner – Achilles – can never catch a slower tortoise in a race where the tortoise had a head start. The reason being that every time Achilles reaches the location the tortoise was at, the tortoise has moved on, continuing infinitely. The IT Security Manager who is starting from a position with multiple vulnerabilities or security gaps, may feel like Achilles and that they can never catch the attackers who had a head start. As soon as they think they are catching up and fix one hole, another is found, leading to a feeling that it is never-ending.
Not my problem!
Typically, for someone to care about a topic, they need to feel involved and potentially directly affected. Telling fellow colleagues that cyber security is “everyone’s responsibility” without helping them to understand the reasoning behind this statement can lead to an attitude of “not my problem, that’s what the IT and Security teams are for”. This is well known to not be the case and a strong security posture requires everyone to play a part and understand their role.
What can we do?
It’s not all negative, there are some simple, low-cost mitigations that can be implemented to help address the challenges above:
- Communication is key! When talking about cyber security within your organization, agree on the definition and scope and make sure this is communicated to all employees. When making cyber security changes, explain the reasons behind decisions and the associated impact (both good and bad) on employees personally and the business – all without jargon!
- More carrot, less stick! Focus on the benefits of cyber security as opposed to the potential penalties for not implementing it. Threats only go so far.
- Make training and awareness relatable to users’ everyday lives to build a security-focussed mindset, even in their personal lives. Guidance that users can implement at home is often also applicable to the business.
- Set overall objectives or goals, then break them down into small achievable tasks, each one with a demonstrable step change or tangible achievement. Accept that you cannot fix everything overnight, but plan to address the biggest gaps or highest risks first.
- Start with the ‘quick wins’, those actions that are cost-free or cheap and easy to achieve. For example, building an inventory of what you’re trying to protect, creating a security policy, or implementing multi-factor authentication. Security doesn’t have to be a shiny, expensive, new box; it can be as simple as reviewing current users on the network or adding a confirmation step prior to accepting bank account changes.