Societal Perception of Cyber Security
Cyber Security continues to be, all too often, treated as an IT issue. Now this is a drum that cyber security professionals have been banging for a long long time. Cybersecurity is NOT and IT issue, it is very much a business issue. But we do struggle to get that across, particularly in the SME market who continue to view it as purely technical in nature.
Now, whilst I’m not always enthusiastic about the stats and reports that are published, simply because they tend to be industry publications with the authors often having an axe to grind but they can make some very good points. Let’s look at some key challenges being encountered:
- Cybersecurity spending appears to be slowing (although that depends on who you speak to), while boards are starting to push back and ask what they have achieved after years of heavy cybersecurity spend.
- Boards and senior executives are asking the wrong questions about cybersecurity, leading to poor investment decisions.
- Many current approaches to improve cybersecurity are falling short of providing appropriate and defensible levels of protection.
SMEs are invariably focused on cost, which means optimising their spend to ensure that they get the biggest bang for their buck, to coin a phrase. However, time and again we see that they have spent, sometimes considerable, sums on technology without actually understanding what risks that technology is there to mitigate, therefore having no real idea if it is doing what they have been told its doing. The amount of money they are spending is of course relative. To a small business the sum invested might be a minor consideration to a much larger business. So, it becomes crucial that the mitigations put in place are appropriate to the risks they are there to mitigate.
This comes down to another drum we like to beat, that of risk management. Below is a link to a short video which explains the risk management process as it appertains to cyber security. Look at it with the view that it can be a matter of scale, and the smaller businesses may not need to go through the whole process but will need to go through much of it.
Note the I use the term mitigate rather than prevent. That’s simply because eradication of risk is simply not possible if you are going to continue to do business. The best you are going to achieve is to mitigate that risk to the lowest level achievable without getting in the way of business.
Let’s consider the following challenges and impacts:
| Challenge | Impact |
| Societal perception of cybersecurity is that it is a technical problem, best handled by technical people, although that tends to be amongst the SME community. There is evidence though that that is changing slowly. | Societal perception is dominated by fear, uncertainty and doubt. It results in poor engagement with between management and suppliers, unproductive exchanges and unrealistic expectations. Ultimately, it leads to bad decisions and bad investments in cybersecurity. |
Organisations are focused on the wrong questions about cybersecurity. The question of what do I need to buy to secure my data is asked rather than what do I need to secure and what is the priority. | Unproductive questions are indicative of poor understanding, and drive attention away from an improving that understanding and therefore drive better investments. |
| Current investments and approaches designed to address known limitations are not productive. | Many SMEs focused on technology and have a poor understanding of cyber risk management. This is often compounded by an equally poor understanding within the IT management company’s they often outsource to. This leads to a combination of poorly scoped solutions and all too often failed execution and unrealistic expectations. |
| Real failures are not getting enough attention to productively change behaviour. | Compliance with any regulation does not equal appropriate levels of protection. |
Now, whilst some of these impacts may not be a 100% fit for many SMEs, particularly at the smaller end of the bracket, they are close enough to be taken very seriously indeed. Poor decisions are being taken every day in regard to the purchase of hardware and software to protect against cyber threats, without having carried out any kind of risk assessment to actually understand what risks they are trying to mitigate. End result, an investment in technology that on its own, will not prevent many of the cyber threats that abound today, coupled with a false sense of security.
A competent cyber security professional will approach the problem from the point of view of People, Process and Technology, understanding that many mitigations require a combination of 2 or 3 of those to provide an adequate response to the threat. For many SMEs, one of the biggest and quickest wins they can achieve is cyber awareness training for their staff. If their staff are aware of the issues, they have a much greater chance of recognising a scam, a phishing attack, an attempt at social engineering etc. And oftentimes such things can be mitigated by sound policies and processes. All of this prior to even considering spending money on technology. However, the very first thing that should be considered is to undertake a risk management process to identify the threats and vulnerabilities inherent in the business, thus enabling the risks to be identified and working out what mitigations are needed to drive the risks down to an acceptable level. SMEs almost never do this and it is a fundamental mistake.
