Managing Cyber Risk: 7 Insights from the Nowcomm Security Masterclass, By Jane Frankland
Cybersecurity is big business. It impacts industry and individuals alike and does not discriminate. Last year, Verizon reported that 71% of breaches were financially motivated, 25% came from espionage, and 21% were caused by human error. Unsurprisingly, according to Gartner, spending continues to rise and is forecast to reach $133.7 billion by 2022. Furthermore, from 2019–2023E, approximately USD 5.2 trillion in global value will be at risk from cyberattacks.
Whilst this research is a concern, when talking to executives outside of security on the recent Nowcomm Masterclass, we need to make sure there is an understanding of the following:
- All attacks are not sophisticated.
Hackers do not reinvent the wheel for every attack they execute. These days, hacking as a service is cheap. It starts at just USD 5 per hour, USD 30 per day, or less. Attacks are automated whenever they can be, and the methods bad actors use are mostly similar, if not the same.
- Hackers do not purely target big businesses.
They target low hanging fruit. They follow the money trail. That is businesses that believe they have invested enough in cybersecurity (but have not) and/or are overconfident and think they will not be targeted (but are). Last year, according to Verizon, 43% of cyberattacks targeted small businesses.
- Hackers are creative, adaptive, resourceful, and business-like.
They make guarantees, offer support contracts, and will find a way into your organisation. That could be through common hacking techniques like phishing, bait and switch, cookie theft, deep fake, password cracking, social engineering, and so on. It could be though your organisation, directly, or through your supply chain. According to Gartner, 60% of organisations are now working with more than 1,000 third-parties. That is why no matter how big or small your organisation is, it’s really only a matter of time before you’ll be breached, or you discover you already have been. IBM found that the average time to identify a breach in 2019 was 206 days. This does not include the time it then takes to rebuild what was lost.
- Human error causes many data breaches.
The figures vary with Verizon reporting 21%, IBM reporting 24% and Cybsafe reporting 90% in 2019. Given the remote working and flexible working status globally, the successful cyberattacks into home networks, reaching vulnerable home workers on unsecure devices is on the rise. Nowcomm offers a range of solutions to this element of security which will help your organisation embrace security and a culture of security outside of the IT team.
- Security intelligence comes with a high pay off.
When Accenture analysed 9 cutting-edge technologies that are helping to reduce cybercrime, and calculated their net savings: the total potential savings minus the required investment in each type of technology or tool, they found the figure amounted to almost USD 2.3 million.
Data is a strategic asset for any business and any hacker, so when it comes to protecting an organisation from cyberattacks and compliance failures, one of the most common problems seen is the ability of leaders to identify the risks they face, as well as evaluating, communicating, and tackling them in a timely fashion.
This was something discussed in a masterclass I chaired with Nowcomm co-founders James Baly[LP1] and Richard McLoughlin and future of work expert, Perry Timms, which you can still get access to here.
There are several reasons why. Here are the insights from the Masterclass.
People and Culture: Cybersecurity and Compliance are different
Often, I see a tendency to deal with risk management as a compliance issue that can be solved by creating lots of rules and ensuring employees follow them. Typically, this way is supported by the media, regulators, investors, training companies and certifying bodies. However, whilst having rules and security policies is a sensible thing to do and can lower some risks that could weaken an organisation. Rules alone will not reduce the likelihood or eliminate the impact of all misfortunes.
Compliance and security are not the same thing.
Compliance is all about protecting your organisation’s reputation and making sure you won’t be sued, fined, or subjected to other penalties. It’s about making sure your organisation complies with the various requirements it needs to. Cybersecurity, on the other hand, is about safeguarding information assets from damage or theft. Both share the same goal – to reduce risk – and both design, establish and enforce controls to protect an organisation. However, both have very different drivers and actions. And whilst they may overlap, compliance with common cybersecurity standards can disguise some very weak security practices.
People and Culture: Creating a “Risk-Aware” Culture
Most organisations do not define what risk means to them, which ironically is a threat. You see, risk is an abstract concept, and as it affects our lives 24×7. When you have a clear definition of what it means to your organisation and have a culture of security awareness embedded, it enables you to ask better questions around your business practices and how you operate. You can then challenge assumptions and get superior collective outputs. It puts you in a better position to ascertain which strategies you’ll use to accept, avoid, transfer and limit risk.
People and Culture: The Impact of Cognitive Bias
Numerous studies have documented how men and women gauge risk differently. It’s something I wrote extensively about in my book, IN Security. It turns out that men are substantially more overconfident than women. Typically, men will overestimate their ability to influence events that come about due to chance. Men will be overconfident about the accuracy of their forecasts and risk assessments, and too limited in their assessment of the range of outcomes that may occur. As a result, they’ll take on more risk.
Then, there’s confirmation bias, which further compounds the problem. This happens because of our individual beliefs and when we’d like something – like an idea, concept or event, to be true. It drives us to be non-partial, to favour information that supports our views, to stop collecting information when the evidence confirms those, or to discount or suppress anything that doesn’t. It also causes us to become even more committed to proving we’re right (when we’re not), andtofoolishly directing even more resources into doing so.
Extensive behavioural and organisational research has revealed how dangerous cognitive biases can be, for they block us from thinking about and discussing risk until it’s too late. They breed cultures of groupthink, too, which are more heightened when teams face uncertain or challenging times, like now. Or, when a team is led by an overly dominant, confident, closed minded or arrogant leader. Here, once an idea or action has gathered support within a group, individuals with objections, however valid, will suppress them and follow the common group stance.
These biases show how easy it is to misinterpret, underestimate, overlook and essentially incubate risk, and why risk management must counteract these biases.
Technology: using frameworks to guide your approach
There are many different ways of approaching risk in cybersecurity, for example a system approach and a component approach, and the UK NCSC has an excellent resource guide to up level all. No matter which approach you use, there are different standards and frameworks (like NIST and FAIR) to help you. But know this. Whilst managing cyber risk does require you to use risk management standards and frameworks, it’s not a case of using one over another. One size does not fit all. They should not exist in isolation. They need to suit your culture.
Technology: Engage outside your organisation and verify your supply chain!
Engaging with experts, outside your organisation, can have a profound effect on managing risk successfully, especially if they don’t all come from cyber. By having a risk review board to act as devil’s advocates it can reduce blind spots and force you and your team to think in advance about how you’ll describe and defend your decisions, and whether you’ve sufficiently considered the risks. It requires strong leadership, an out-of-the-box thinker and someone who’s open minded. Not every leader has a stomach to champion a practice that could identify the risks in the strategies they helped to formulate.
Operations: Incorporate security risk into your business strategy
Risk and strategy are very different beasts. They exist at both ends of the spectrum. Risk management focuses on the negative—threats and failures, whereas strategy management focuses on the positive—opportunities and successes. To build an organisation that aspires to be more than conventional and realise as many good opportunities as it can, clearly you need to be managing both well. Only by ensuring you’ve the right combination of people, processes and technology can you do this.
Operations: Creating diverse teams
Effective risk management requires a certain type of culture. Ideally, you want a diverse team filled with individuals who are not just capable, but who are also humble to learn. When you work with some of the best professionals, who might have gone to top schools and universities, sometimes you will find they will not always have experienced much failure there. Or, they might have been brought up in environments where failure was penalised. Therefore, one of your biggest challenges can sometimes be establishing a new risk culture – one where you can get your teams to feel OK about failure and have open discussions about what could go wrong with their “excellent” ideas, processes, or designs.
Psychological safety is key to top performance in any industry, but as cybersecurity has such a strong blame culture, it is vital we make this shift. Leaders must ensure their teams know when they can challenge strategy, project design, risk assessment and risk mitigation decisions, and help them to feel safe when they do. This bridges the gap between operations and culture in the Masterclass: which is unsurprising as the golden triangle from Nowcomm of People, Process and technology can not be separated when it comes to an effective security strategy.
Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this #ad for Nowcomm. Because your success is important to me, I only align myself with brands I believe in, and Nowcomm is one of them.
To visit Jane’s blog about the event, please click here