“Cyber space” or the Internet, affects us all. We all have smart phones, computers, laptops and tablets. We all work where technology is doing the work to some extent. We all have some level of cloud storage and we keep most, if not all, of our life on a computer system of some kind. So in the old adage of keeping all the eggs in one basket, we are pretty close. You would think that most people would worry about that, they don’t!
There are conflicting and totally different points of view out there in the world concerning cyber crime. In fact it is polarising. There is no middle ground. One view is that cyber crime and cyber security is an ICT driven problem similar to the Y2K. Lots of hype and no discernible substance. Just something for ICT companies and individuals to make more money. The everyday person and all businesses and governments are the target.
The second point of view, and the one I agree with, is that if we do not resolve the cyber security problem then the Internet will become no more than a broken communication device. We are already seeing a marked increase in cyber-attacks either through automated systems, social media, cross site scripting and focused hacking attempts. If you add in the ill-informed, uneducated and unaware users on the Internet then we are definitely heading for the perfect storm, if of course we have not reached that level yet.
How many times have you heard “my computer has a virus infection”, “my computer crashed”, “sorry I cannot take your order because we are having problems with our system” “my phone is doing weird stuff” or a myriad of other reasons why technology has been perceived to have failed and we are waiting for someone or something to fix it. To say that cyber security is not my problem, it is “X’s” problem, is something that we take for granted.
Changing the business and user culture and making the Internet more secure will be an impossible task but changing people’s perception, this would not be as difficult. Making users more untrustworthy of the Internet is one of the first steps.
This has to be a fundamental change in human perception. In normal day to day existence, we make normal emotional decisions, when meeting people, based on our five senses (sight, sound, touch, smell and taste (I try not to lick people when I meet them)). These senses give us a perception of the people we meet, an understanding if something is a little “off”, or an understanding that I can trust them. On the Internet we only use one and that seems to be enough for most people. I like the look of you therefore you must be OK! Maybe I am strange but for me to trust you will take a lot more that what you look like.
It does make me wonder how stupid we are. The problem is, it is not stupidity. This is a fundamental change in human physiology. The other four senses are no longer used so we have to rely on other factors to increase my level of trust in you and who you are.
In business this is done through marketing and more importantly reputation. Social media, when used correctly for business, has the capability of increasing your trust level in both me and my product. This is why we see large businesses and politicians use social media to increase the trust level of their community. Sometimes it works, others times it doesn’t.
The problem is that the bad guys also use these types of tactics to increase your trust in them. From blatant lies to false advertising they are out to get you. The criminals even use Google Ad words and search engine optimisation (SEO) to target potential victims. Looking for the newest game, song or film to download or looking for the newest celebrity screw-up, I will bet you that the top 10 search results both natural and paid for will deliver not only a version of what you are looking for but malware, spyware or a worm.
One of the hardest jobs in the world is to be the managing director or CEO of a small or medium business or a not for profit organisation. It is an unenviable position to be in, unless of course you volunteered for it. Being the driving force behind the organisation. Being the rain maker, bringing in the new customers and making sure that the old customers are happy and still buying your product. Running the organisation in a profitable way. Having the responsibility of your family and your staff to do your best so that they can be ensured of success, this can weigh heavily on a business leader. It is a daunting life for some, some people excel and thrive, and others do not.
A good CEO or MD is always looking to mitigate a whole raft of business risks. That is their job, to look at risks to the organisation and make sure that it is reduced to a manageable level or if possible eliminated totally. One of the risks that is seldom thought about at this level, but is rising in popularity, is cyber security. To mitigate the risks of cyber crime and focus on cyber security has to be done at management and board level.
A cyber-attack can cripple a business, it can take it from a thriving money making enterprise to a smouldering husk in a VERY short space of time. It can ruin your reputation but more importantly it can reduce you to a pauper in moments. There are less dramatic ways as well; undermining the trust of your customers through malware on your web site is a start or stealing your ideas and going to market with cheaper and shoddier product. There are hundreds of others.
By changing the focus and emphasising, not only on the business requirements but looking at user protection, we can actually change the focus of the cyber crime problem.
The buck has to stop somewhere. If everyone who connected to the Internet had the attitude that “MY protection is MY problem” we would be in a totally different world and I wouldn’t have much to write about. We can use technology to help with the solution, we can use management to keep track and resolve the problems and we can make sure that we are as adaptable as we can be but it still comes down to the fact that everyone needs to say that it is MY problem. If it is MY problem then I am also the solution.
We have all of the social media sites saying “if I do not show total disclosure then there is something wrong with me”. It is targeted at the uneducated, innocent and ill informed. We all need to take responsibility for our own actions. The bad guys use peer group pressure to force you to lower privacy and security settings on social media sites. If you don’t, you are not part of the crowd and you will not have friends? Sorry but I need some level of trust before I lower my defences to someone I do not know, don’t you?
In business and most organisations, Cyber security and the problems associated with them have always been perceived as an ICT issue. If you are expecting your ICT team to help then you have bigger problem – they are usually underfunded, understaffed and under trained. They are normally so busy with everyday IT problems that proactive and even reactive security is left to when and if they have a moment – those are rare. Being so busy has a flow on effect, innovation dries up, the process of fire fighting and problem solving becomes more intense as the resources dry up further and there is a reduced management, viability and visibility of the problems regarding cyber Crime. In other words, the IT department are swamped.
Mother Teresa said
“We the willing, led by the unknowing, are doing the impossible for the ungrateful. We have done so much, with so little, for so long, we are now qualified to do anything, with nothing.”
This use to be a joke and was said tongue in cheek. In my Navy days it was the catch cry of one of the ships I was on, but in today’s business IT world it feels more like the truth.
It is a vicious circle that quickly starts to spiral out of control. Many businesses and organisations are facing this problem at the moment. Pushed by profit margins, increased revenue reduced funding and increased productivity many IT departments, organisations and businesses are caught in the normal business catch cry of doing more with less. When ICT projects are scoped out correctly then a project is doable, when the funding is reduced do not expect the same level of capability, functionality and security. Something has to give, and in most cases if not all it is security.
Like insurance costs there is no return on investment (ROI) in cyber security except if something goes wrong but there is a huge ROI for cyber crime. Cyber crime is a vast business. With everyone moving their business to the Internet and computer systems – it is where the money is. It is where the ideas are, and it is where the people, the cyber crime targets, are. It is where the intellectual property (IP) of a business is, as well as state secrets and information concerning your clients. Loose that information and you may as well close up shop.
In the old days, 100 years ago, robbery and mugging we’re one on one. One person stealing something from another. We then had banks and stagecoaches and trains. It was then one person or a group of people stealing from a larger group of people. If you look at the Sony hack in 2011 it was one person stealing from 70 million other people. This is a quantum leap, and in my opinion it is only going to get worse.
Cyber security is a whole of business attitude. It is a holistic attitude towards protecting everyone and everything within the business. It needs to be driven from all areas of the business, managed and controlled by the top but implemented and embraced at the bottom.
I have a simple saying – Cyber security is MY problem. Not just because I work in the area but because it should be the catch phrase of everyone who is using the Internet. If everyone looked at cyber security like that then we really do have a chance of controlling the problem. Yes we still need the high end Internet facing systems and newest operating systems, the technology, to protect the organisation and businesses. We still need governing policies to manage the business and we still need business continuity, disaster recovery and business resilience components to strengthen the business.
In addition to that we also need training and staff involvement. This has to be emphasised as a critical component of business cyber security in the fight against cyber crime.
In the area of training there are 6 facets that can be used by everyone that will flow into their workplace. Some of them can and are controlled and enforced by computer policies, others are not. They are all important.
· Use Complicated passwords for every password
o It doesn’t matter what the web site is or the reason for the password, if you use a complicated password then a brute force attack will fail.
· Use unique passwords across different areas of your personal and business life.
o There is a place in the cybercrime area for people who use the same password on every site. These people are just basically fodder for the cybercrime machine. If I use the same username and password on a site and it is compromised then the first thing that the bad guys do is test other sites with that combination, it is an automatic and automated process.
· Patch everything including operating systems and applications,
o If the computer tells you it has an update – apply it. If an application has a patch, apply it. Applications are a bigger danger as they go across Multi platforms.
· Use an anti-virus program on anything that will take one,
o Anti-virus software is now available for most platforms. From Mac to Microsoft to android. Most look for viruses, they are also looking for malware and spyware.
o The more people who use an operating system or application the more chance there is that something bad has been written for it. Yes apple and IOS is a target.
· be paranoid
o Everyone is out to get you on the internet – from 12 year old script kiddies to full blown bad guys and the threat are increasing. In addition to that even the automated systems are out to get you.
o You lose control of your computer it is no longer your computer – paranoid yet!!!
o It is going to happen to you (99.9% chance of being a victim of cybercrime in the next 10 years) so make sure that you do a regular backup.
· Always use common sense.
o If it looks like a scam – it is
o If they want money – it’s a scam
o If they want to give you something for free – it’s a scam
o If it seems too good to be true – it’s a scam.
o If it’s free – it is a scam, in most cases it is also infected with malware, spyware or ransom ware.
The password component of business and the internet may change in the future to biometrics and two or three factor authentication. But passwords will still be around for a little time to come. Not all businesses, websites and organisations will embrace changes in technology to enforce alternative credentials due to costs, capability and individual reasons.
Get these areas correct and there is a flow on effect. You, as a user, are more secure on the Internet which means that who you work for is more secure.
So if we all say
Cyber security is MY problem and I have a responsibility to protect MYSELF
Cyber security is MY problem and i will not rely on others to do it for me.
Cyber security is MY problem and if I want protection, I have to be the one protecting.
Cyber security is MY problem and it is my responsibility in MY business. Whether I am just a lowly receptionist or I am the person in charge, Cyber Security is MY problem.
Then the use of the greatest communication device ever created will be ensured and we can look forward to the next big thing.