Cyber crime and Cyber security are the next big risk management requirement for business?

Introduction

We hear it constantly, there is not a day that goes by where someone has not had something stolen using the Internet.   It can be getting infected by a virus, to someone inadvertently leaving a USB drive in a coffee shop, to having a laptop stolen or a targeted attack on an individual or business because they were after something specific.

We constantly hear about phishing attacks, laser targeted at someone through social media.   We hear about denial of service attacks through criminally controlled Bot nets but for some reason, business constantly refer to the problems as being an ICT problem.   This is cyber crime and the only way to protect yourself is to have some level of cyber security.

This is an assumption that needs to change.   Yes ICT is involved but cyber crime and cyber security are full blown business, management and board level problems.    Being that they need complete management and board level buy in to resolve the issue.

Managing the risk of cyber crime

The best internet front facing systems are not going to help if the CEO has stupidly opened an infected email from who he thought was a trusted colleague.   The best VPN is not going to help if it has been activated over an insecure wireless link, and the cyber criminals are recording everything on the connection through a man in the middle attack.   These are all possible but how can this be an IT problem.

For any small and medium business and not for profit organisation managing the risk of cyber crime is seldom thought of as a business problem.   It is normally confined to the depths of the IT department, never to see the light of day until something happens.

When it does happen there is the constant blame game of who’s fault.    Like all other departments and areas within a business, everyone is being called on to do more, sometimes lots more, with less.   The IT department is no different.   Less money, less resources and less training and in a normal situation the repercussions are minimal.   In the realms of cyber crime this is true false economy.

We have all heard about C level executives demanding the best and newest technology with a total lack of thought for the repercussions.   Shiny and new, bleeding edge technology are great, but if the infrastructure and business capability are not available then they will not deliver the solutions that they are looking for.     But let’s look at the risk of such an investment.

The introduction of android in 2008, was a watershed moment for the BYOD and mobile device  movement.   The first people who wanted to use it for business were not the IT people, they saw the potential as well as the dangers.   It was management.   They saw the potential for both productivity as well and functionality.   They did not factor in the risk.    With android, those risks were huge.

The opportunity to take work home, work anywhere, to be productive no matter where you were, no matter what time of day.    For management it was something to salivate over.   This was definitely a way of doing more with less.    But the risks were just as big.   Information was now outside the business perimeter.   Data was now exposed in unexpected ways.   In fact a business had less control over critical information than ever before with highly diverse threat vectors.

This is a whole of business problem that needs a whole of business solution

Most Organisations have some sort of policy in place.   In Most businesses, these policies are inadequate.   Do the policies cover all of the expected problems that will arise from a normal organisation doing business.

Are there Internet policies, BYOD policies, training policies and policies for C level management?   All of these will help contain the risk of doing business in the 21st century.  But the policies are the first step.   Getting staff and management to understand that the business they are in pays their bills is one of the hardest for management to convey.   The policies are a good place to start but they have to be enforced as well as be in the front of mind for all members of the organisation.

This understanding comes from training, from building a cyber security business culture where everyone understands their role and helps enforce it.

Protecting your business

Cyber security is my problem, is as good as any place to start.    If it is said by everyone in the business, from the lowly factory worker to the upper echelons of management then the flow on effect is dramatic.   No one is looking to play the blame game, no one is interested in the dreaded not my problem syndrome.

In most businesses this can actually fall to the IT department.   The IT department can look at substantial investment in front facing internet based systems – the front door – in the secure knowledge that the windows are also protected.   They know that staff are going to use complicated passwords, they know that when patches are pushed out to staff’s computers that they will actually apply them the next opportunities they get.   They know that everyone on staff is just as paranoid as they are and they know that the staff will apply common sense when doing anything on the Internet.

But it still comes down to a cultural change.   IT can still be used to enforce the security profile of the business through technology.   It has to be in bread into everyone on staff that cyber security is my problem.

Conclusion

We are all targets.   The Internet has made it possible for anyone with an Internet connection, above average computer skills and a criminal mind to attack anyone on the Internet.   That is the fundamental change that the Internet has given to the criminal.   They can target anyone and because we are all trusting souls we are all targets.

Risk assessment, Risk management and business security are still and always will be the purview of the c level executives, management and board members.   That has never changed.   The change has been in the technology.   The technology is hard to understand and even harder to integrate into the risk components of a business plan, if it is not fully understood by those making the decisions.

The problem is that the technology that is available to business is also being used by the cyber criminals.   They have seen the opportunity and have made plans to exploit them.   Those plans include your business, no matter who your are and whatever business your are in.

Roger Smith, is an educator. Teaching students at ADFA (UNSW) and showing them how vulnerable they are to cybercrime.

He is also CEO at R & I ICT Consulting Services Pty Ltd, an Amazon #1 author on Cybercrime and founder of the SME Security Framework. He is a Consultant who specialises in inexpensive and highly effective security strategies for small and medium businesses and not for profit organisations.

He has developed and authored the SME Security Framework and the Security Policy Training Course which are considered to be the definitive guides to helping SME's protect their organisation using the principles of Technology, Management, Adaptability and Compliance.

Leave a Reply