10% of the global population that use the Internet have more than a basic understanding of the digital world. There is a severe disconnect between what is done and what needs to be done when protecting an organisation from cybercrime.
Throw terms like dark net, cloud technologies, IOT (internet of things) or BYOD and most managers, board members and owners shrug, glaze over and say that it is an IT problem.
In today’s threat landscape, cybercrime, is a business risk. Probably one of the biggest risks a business will face. Like all business risks it has to be addressed as soon as possible. But what are you addressing?
In most cases management teams, board members and owners consider cyber and digital protection an unreasonable and unjustifiable expense for the organisation (until it’s too late that is). In most cases they under invest in Digital Security, for no other reason than they do not understand the problem.
From a business perspective, of the thousands of attacks on most business systems, mobile devices and other devices that are connected to the digital world every year only one has to succeed. As an organisation, we have to stop them all. That compromised system is the Trojan horse to get into your organisation.
We have all experienced a virus and how hard it is to stop and clean up. Image if that virus was just the scout of a more costly attack. You don’t have to image it, in most cases it is the vanguard of your worst nightmare!
The recently discovered attack on 100 worldwide banks that netted the criminals around $1 billion was done through a very sophisticated process that included boutique malware (undetectable by the best AV), social engineering, bad work practices, substandard policies and procedures and a lack of auditing.
The perfect storm that netted the bad guys all of that money over a 2 year period.
Compared to walking into a bank with a gun, or blowing the safe, this theft is relatively painless. It is very profitable! Very profitable and relatively safe! Catching the bad guys is remote, difficult and the criminals that do get caught show Darwinism at its best.
These 3 factors make the management of cybercrime difficult:
The cost of Digital Security technology!
Walk into any office, locks on the doors, motion detectors in the rooms, alarms on the windows, possibly biometric locks and access and in some cases bollards out front. These are known protections that have come about in the last 100 years. Costly but important protection.
Protecting the Organisations digital assets is a little harder.
If an organisation does not understand the WHY of cybercrime and Digital Security the protection requirements are often underestimated.
The business management’s attitude that free or cheap is the solution reigns supreme.
- Free anti-virus must be better than having to pay a monthly or annual subscription for a managed end point protection system! The fact that it only captures 90% of the known problems is irrelevant.
- Or purchasing the inexpensive router from the local retail shop will do the job of a router with UTM (unified threat management). The attitude that we just need a device that connects to the Internet is often heard.
There are thousands of other examples where free or cheap is the solution that is taken by SME’s and even larger Organisations.
When it comes to technology – you pay for what you get and scrimping on Digital Security by buying the cheapest means you are exposing your business to unnecessary risk.
The cost of protection can be exceedingly high and that is the main reason that risk management and risk assessment is paramount in those decisions. Throw away lines like “we are too small to be a target” and “it will never happen to us”. These are based on myth and legend. Like a normal risk factors, understanding and then mitigating the risk has to be front of mind and in Digital Security, mitigating those risk comes at a cost.
There are times when the discussion around cybercrime and Digital Security is difficult. I will even admit that at times I have trouble understanding what sales and technical people are saying, and I have been in the industry for more than 30 years.
One of the reasons for this disconnect is jargon. Each manufacturer has a new word, new catch phrase, new product name or new operating system, that someone somewhere in the purchasing organisation has to now learn, understand and manage.
Getting straight and understandable answers to basic questions in the digital space can also be difficult. The answers are made more difficult if you cannot understand them or worse still have not asked the right questions.
Paramount to protecting business information is to understand what information needs to be protected.
This communication disconnect also happens when describing the criminal element. Malware, zombies, botnets are the tools of the digital criminal, but most businesses do not understand the impact that they have on the protection paradigm.
In most cases businesses do not understand why they are being targeted with viruses or malware.
“Why did we get a virus, we have nothing worth stealing” is a cry we get regularly! Everyone has something worth stealing even if it is just the storage and cycles used by the system itself to become a zombie or to join a botnet.
Digital Security Protection is difficult to manage!
The next problem with Digital Security is the management of all of those digital components. Organisations believe that digital protection is “set and forget”. A couple of years ago this might have been true.
Thinking that once it is in place you don’t have to worry about in today’s digital world is a bad idea and can have devastating consequences. Not updating a device for 12 months or in some cases 3 years is definitely not best practice.
All of the components that protect the business have to be updated regularly, checked regularly and most importantly tested to ensure that they are working to design specifics. Once again Jargon is a problem.
The digital threat landscape is constantly changing. The bad guys know this because in most situations they are behind the changes.
Digital Security is a holistic process. Once again jargon impacts the Organisations decisions. To make a correct risk assessment on the organisation you need to know:
- What needs to be protected?
- Intellectual property
- Financial information
- Client information
- Digital assets
- How will it be protected – this is the technical component of the risk analysis process
- Separate network
- Restricted access
- User access
- Who needs access to it?
- Does everyone in the organisation need access to all information?
- Can components of the information be separated?
You have to have a basic understanding of the required components that are protecting that information before you can make decisions.
Convenience is usually the primary driving force for business. It is also the driving force with applications and systems. Security should be more important than convenience, most of the time it is further down the list.
This article first appeared on LinkedIn
Roger Smith is the CEO of R & I ICT Consulting Services, Amazon #1 selling author on Cybercrime, author of the Digital Security Toolbox and author of the SME Digital Security Framework. He is a Speaker, Author, Teacher and educator on cybercrime and how to protect yourself from the digital world.