How many times will you suffer from a cyber attack before you actually take real action? The answer is probably three.
“How many times have I got to tell you to stop doing that before you will learn?” would often be heard around my childhood home, as I’m sure it was in yours and probably in your children’s if truth be known.
Like you and probably like your children too, I didn’t listen. I decided to learn in my own way, under my own misplaced guidance. Somehow I had to find out for myself, irrespective of the consequences, which in many childhood instances would be cuts, bruises and a wide collection of grazes!
It seems that no matter how much advice we are given, how many people who are more learned than ourselves give us practical and insightful assistance, we still like to find out for ourselves, even if the costs are high.
While in discussions at the National Cyber Skills Centre this week, it was mentioned that these childhood desires to ‘find out for ourselves’ continues into modern business life and more notably cyber security. Despite cyber security costing companies many millions, despite millions of individuals losing personal data, despite the headlines of notable brands suffering major hacks and data breaches, it still is not enough to spur many into action.
It would appear that a company, organisation or individual has to fall victim to a cyber criminal a number of times before they will actually take action. The number in question is three. This thesis is based not on market research, or wide ranging business surveys, just the experience of a secure software company that was sharing their thoughts with us at the NCSC over an impromptu coffee.
The more we talked about this, the more obvious it became. On the first attack or breach you can imagine the discussions – “Well, it was inevitable, we couldn’t do anything about it, if the criminals were going to get us, then they were going to get us.” There would be a feeling of resignation that this day would come no matter what preparation had been done and although they were always planning to look at cyber more pressing matters had taken precedence.
A second attack, how would that be rationalised? Maybe it would be put down to ‘bad luck’ and that lessons had not be learned from the first attack. There would be scratching of heads and a ‘tightening’ of security policy, such as passwords being made more complex and perhaps the available software patches for all systems will (finally) be applied to bring everything up to date and made secure.
The day that the third attack strikes, and it will happen, there is going to be a very different atmosphere present. No longer can this be tolerated, no longer can fines be paid and woolly explanations sent to customers and suppliers alike. A third attack is serious. A third attack is a trend that cannot be ignored. After the third attack action will be taken.
To put it in more literary tones, in the novel Goldfinger, by Ian Fleming, Goldfinger himself says to James Bond “Mr Bond, they have a saying in Chicago: “Once is happenstance. Twice is coincidence. The third time it’s enemy action.”
And maybe that is worth remembering, the third time that a company suffers at the hands of a cyber criminal that it is in fact enemy action, and thus deserves a response of technical and procedural significance.
The more I muse on this concept, this theory, the more it makes sense and is probably far too close to the truth for comfort. Only on the third time I fell off my bike as a kid did I start to make meaningful adjustments to prevent further injury, even though those with more experience than I were urging me to acknowledge the risk I was placing myself under. What do you think? Does this almost off the cuff comment over coffee portray the real way that companies are approaching cyber security?
If so, then it really is a case of ‘third time (un)lucky’ for almost all of us.
Thanks to Steve Borwell, of Borwell Software, for the chat.