Cyber risk. Overlooked? Ignored? Under-appreciated?
Well, that’s exactly how most information security professionals must feel when trying to raise funds to fix security holes. The challenge we face isn’t the business failing to grasp cyber risk, it’s addressing the communications gap between technical staff and business owners. In turn, business owners don’t like spending money on anything that doesn’t make them more money. Even insurance is a grudge purchase. I’m never fond of paying a high premium, but if there’s that niggling feeling that I could lose my livelihood and house if I fail to get the right insurance cover, then I kind of accept that.
Mitigating cyber risk is exactly the same. If companies don’t do it, then they could go out of business. But there’s definitely over-confidence in the space, and I often hear “well, it will never happen to us, we’ve just installed anti-virus on all of our laptops”. So exactly how do you give the business that niggling feeling that encourages them to mitigate security risks? The reactive approach definitely isn’t the right way; and demanding cash after something has happened to plug a hole. The sales-led approach isn’t the right way, where security vendors force silver bullets down your throat and you end up buying something to help them meet their sales targets, regardless of how nice it makes your treasured server rack look. It’s about taking a proactive stance, and dealing with cyber security BEFORE something happens; and being prepared to tell security vendors where to stick their hardware if it doesn’t fit into your security programme.
I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme, that fits the business. Fortunately creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business. But that still doesn’t mean the business will buy in. We’re missing that niggling feeling. Much as I dislike scare tactics, now would probably be a good time to think about them, with a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.
Simulate a phishing email. It’s easy enough. Put an EICAR malware test file on your CEO’s laptop. Take your CFO’s laptop away for an hour and simulate critical hardware theft. Leave a suspicious package in the mail room. Simulate a web server hack. These exercises would take less than an hour of the board’s time, and whilst they won’t get the cheque book out, they will raise awareness over time. Throw in a few fire drills to keep their minds off cyber for a bit. Simulate a flood. The point being, over time, your business CAN become cyber-aware; and ultimately this loosens the purse strings and gets you that next hire and support for implementing change.