“I know” vs “I WANT to know”
Cyber Security Fatigue — on the road to DIGITAL BLISS. Plato once said, “Opinions are nothing more than the medium between truth and complete ignorance”. This is where cyber security has now gone. We are told we have what we need and yet we are still being compromised.
Cyber Security has become a complex animal. There are tools, processes and even more tools to install in our digital environment. The government, vendors, IT providers (and the like) all tell you to install multi factor authentication, patch your systems, and do security awareness training etc, yet we are still getting HACKED. In the last 6 months there have been several major Data Breaches reported in various sectors and the big thing that has come from the Government… Wait for it… implement the Essential 8. That is another topic for another time.
So, it begs the question, if we have everything we need (supposedly) and we are still getting HACKED, what is going wrong? The answer is simple. I know you want to keep reading!…….
How many of you who are reading this article have children/teenagers or younger siblings, or maybe even you yourself — who use the phrase “I KNOW” (insert eye-roll here) as a default response to avoid dealing with a real problem. We are all guilty of this at some time or another.
Optimism Bias is just this. “A cognitive bias that causes someone to believe that they themselves are less likely to experience a negative event.” This is one of the most fundamental problems with cyber security now. We generate opinions based on click-bait, the media, and other sources of information and many of these opinions have been made based on individuals whose agenda is to sell, sell, sell. We have been bombarded with so much information from the media, product vendors, IT providers and everyone else under the sun trying to tell us how to do cyber security, that it has all become white noise.
We are automatically being provided with solutions, without the real problem being defined. Most people are not experts in cyber security to be able to make informed decisions, yet they are being forced to make them every day. and with that, choose to bury their head in the sand instead of being open to growth. We are dealing with the mindset problem of:
“it will never happen to me” “our organisation isn’t big enough to be targeted” “our information isn’t worth much”
So, it is easier to say, “I know” than it is to say, “I didn’t know that, tell me more”.
You don’t actually believe (or understand) the true value of the information in your organisation. You are targeted for exactly that reason. You hold information like any other organisation, you process it like any other organisation yet you don’t have the security budget, nor the appropriate advice and/or knowledge, to protect it within the context of your organisation. And to add to the anxiety of all of this:
“We are all compromised!”.
It is not a matter of if, but when. An even now, you are already compromised providing your information to cloud vendors. So, you are having to rely on and trust more than one set of entities to look after your systems, information and what’s more, your livelihoods. Your information is out of your hands. So you being compromised now, is when you become interesting to the Cyber Criminal.
However, all is not lost. A shift in mindset, and having simple, sensible and sustainable protection for the organisation, you can take back control of your assets. Bear in mind, as a Director and owner of an organisation, you are responsible and legally liable for all information regardless of who you provide it to for processing, transmission and storage e.g. your IT provider, your accountant, your HR company, your logistics company etc. It is your data at the end of the day the supply chain only enhances your organisation, not takes ownership for the data.
You don’t know what you don’t know!
We follow a simple process at the start to help an organisation understand their risk posture. This is called a Threat & Risk Assessment. Our Threat & Risk Assessments encompass four (4) critical and complete areas of your organisation — Governance, Personnel, Physical Security and Technology.
For every Threat & Risk Assessment, we capture the context of the digital environment, layer by layer, building a firm foundation and understanding of how information flows in and out of your organisation.
We identify the following key items in each layer:
WHAT information or data is at risk?
WHO is going to threaten the organisation?
HOW would they compromise you?
IF compromised, what is the projected cost?
Together, these pieces create a complete picture of the risks your organisation faces, which we use to develop the security and protection outcomes, to then drive your IT provider to implement a solution that protects your assets.
We are going to leave you with three key mantras to start you on your path of DIGITAL BLISS:
Get Independent Advice
Zero Trust (Trust nothing)
Cyber Insurance / Management Liability