Is the question “Why is cyber security so damn hard?” the right one to be asking?
“Why is cyber security so damn hard?” lamented an SME owner to me a couple of weeks ago. “It just seems that it is unrelenting, unpredictable and highly distracting” he added.
Now I’m not one for immediately responding with insight and words of calm reasoning, but rather I reflect, muse and consider. That being said, to them, and anybody else who is struggling with the difficulties of cyber security, here are my thoughts broken down into three broad categories.
- It’s Not Just Technology
Cyber security has been ,and for a long time to come, will get inaccurately labelled by many as purely a technical issue. It is no more a technical issue than a car that ram raids the local branch of Currys is an issue to be dealt with by the DVLA. The role of technology in cyber security is as a platform for crimes to be undertaken, just as a car is a platform to use in a ram raid.
People and how they use technology are as big an issue, as the technology itself. They need to learn how to use technology in secure way – i.e. not falling for phishing scams or accidentally exposing sensitive company data to the world – and they need to also take responsibility for how they use technology. Again, let’s use the car example, if an individual was not taught how to drive a car safely and securely would you allow them to just hop in and ‘give it a go’? Probably not. A business needs to develop a cyber aware culture for all staff, not just the techies!
- The Connected World Is Different To The Physical World
The world is now connected at incredible speeds, no that’s not an advert for an internet service provider, it’s a fact. Data moves around the world in literally seconds. Geographical boundaries and national borders have little or no meaning in this world. The boundaries of concern should be those of the extremities of a business’s network, which will undoubtedly stretch much further around the globe and into many supply chains than expected.
This means that attacks can come from any country, any criminal, at any time from any weak link in a business’s network. The very benefits of this connected world, where suppliers can be directly connected to their consumers, works in the opposite direction for cyber security. Those who want to steal from you, or cause material harm to you as individuals or businesses are just a click away.
Trying to apply our physical world thinking to the connected world is a mistake, as it is a completely different model and requires completely different thinking. You may think that you are a UK based company, but if you use services such as Microsoft 365, DropBox or even Google, then your technology is operating globally.
- The Law Is Playing ‘Catch Up’
Governments, law makers and law enforcement are all playing the world’s biggest game of catch up regarding cyber security. It has caught them all by surprise and allowed the cyber criminals a relatively free run at any target.
This leads to an uncomfortable truth that those who we may have trusted to keep us safe at this present moment cannot do so in the connected world that they have been able to do in the physical world and thus relying on them, now, for this issue, maybe unwise.
What also needs consideration is that unlike many industries at this time defined regulatory standards for cyber security are still in their infancy with many being only recommended as opposed to be mandatory. Although mandatory regulation gets a bad reputation in many instances it does allow a business to build a framework of compliance, whereas recommendations and advice can be ignored.
Other support services, where businesses will obtain advice and direction such as legal counsel and business insurance, are still developing in the cyber security space further compounding the decision-making process for businesses. Therefore, businesses do need to place their trust in the cyber security industry for assistance and guidance.
It can be easily seen how just these few topics can all develop much further into sub categories of training, of supply chain audits, of data protection and legal compliance and trusted advice very quickly. So, does all this mean that the SME owner I spoke too is correct and that cyber security is ‘too damn hard’? No, it means that cyber security is a much bigger and wide ranging issue that many have been led to believe that it is, but it does have an upside.
It requires a rethinking, retooling and retraining of how technology is used within a business and if done right and done well can lead to productivity enhancements, business differentiation and competitive advantage. So maybe the question should not be “Why is cyber security so damn hard?”, but “What business benefits can I obtain from addressing cyber security?”, you may be pleasantly surprised at the answer.