The academic and industry literature is full of extremely useful research, insights and advice on how people interface with security technology and how that interaction can be enhanced to reduce the chance of a malicious attack. However, the role of the human in enhancing the overall resilience of an organisation operating within an environment where the cyber risks of any type are high is discussed much less.
Clearly, stopping the risk at source with technological measures such as security to prevent anything malicious penetrating the organisations IT systems and fool-proof systems that work first time every time is the ideal. But no security is 100 percent effective, threats frequently emanate from within an organisation and, whilst malicious attacks dominate the news, other, more mundane, IT issues such as hardware failures, network outages and user error are far more common and often cause a similar disruptive impact on an organisation.
An organisation therefore needs to be able to function despite glitches, attacks, accidents and disasters with its IT systems. A well designed and maintained Business Continuity and Disaster Recovery capability will interface with security measures to ensure that the organisation “survives” such disruption by enabling operations to continue to produce critical products and services at a predefined level and return to business as usual as fast as possible. But other skills, capabilities and behaviours are required for the organisation as a whole to “thrive” despite cyber risk.
This paper looks at two of the most common human behavioural mistakes and suggest ways to overcome them.
Underestimating the enemy
Any corporate strategist or military general will tell you that the fasted way to lose a battle is by failing to understand, and match, what you are up against. Whilst, script kiddies who are trying to impress their social circles can still wreak havoc, the main malicious threats to business are now skilled business people whose general aim is to profit from exploitative attacks.
As opposed to armies fighting over territory or corporate giants fighting over market share, the new battleground is “information” where professional cyber criminals battle to gain information that has the potential to earn them substantial profits.
Although, it has long been known that there exists a certain level of organisation with cyber criminality, recent actor profiling on the dark web has shown that a clear value chain exists for exploitative attacks such as ransomware. The actors within the cybercrime economy generally fulfil roles that are similar to those in a conventional organisational value chain.
For example a typical “cyber organisation” will include: Vulnerability Researchers who search for zero-day vulnerabilities and sell the information to Malware Authors who can write exploit code; Malware Vendors and Distributors who buy and sell ransomware in marketplaces; Website Crackers and Designers who recreate websites that look authentic to the user and could act as a trap; and Money Mules who steal identities from individuals and sets up intermediary bank accounts that they offer to vendors to stores ransom funds.
These “cyber organisations” operate in much the same way as a conventional organisation looking at markets and deciding their attack strategy based on costs as well as their strengths, e.g. the encryption algorithm employed, their reputation, partnership opportunities etc., and the potential targets weaknesses that are meticulously researched and tested.
The average boardroom is supremely occupied with identifying, analysing and creating corporate strategies to stave off legitimate competition. However, most organisations seem to have a blind spot when it comes to “illegal” competition and attempt to enter the information battleground not with a fully resourced and trained army but with a couple of foot soldiers armed with bayonets.
The cyber economy has reached the scale and sophistication that it is dangerous not to analyse the illegal cyber organisations that are competing for your information in the same way as you would a new market entrant. Likewise, it is no longer effective to pursue a defence only strategy that focuses on an insular understanding of your organisation but now necessary to be prepared to create opportunities to defeat them through strategy.
Misjudging the effect of gossip
It is an extremely rare news day when some organisation or another is not publicly exposed for losing personal data. Most executives will emit a sigh of relief that it is not them. Some will immediately take action to find out if their organisation is also at risk and rush through security measures. Others will bury their heads in the sand confident that it will never happen to them. But a small proportion will seek to capitalise on their competitor’s misfortune.
This may seem harsh, but business is business, and if a customer is unable to find what they need from their normal source there is nothing inherently wrong with positioning yourself favourably for when the customer looks elsewhere.
The problem, however, that a data loss obeys “Gossip Theory” which means that not only is it not possible to capitalise on your competitor’s misfortune the whole industry, including you, is very likely to be disadvantaged financially.
Gossip is defined as “the unsanctioned transmissions of personal information about a vulnerable third party” – which is exactly what happens when an organisation that you trusted suffers a data breach and your personal data, name address, bank account details and passwords etc., are released without your knowledge or control to a malicious third party.
The typical reactions to learning that you are being gossiped about are feelings of betrayal and violation accompanied by loss of trust in “all” the holders of your personal information – not just the one that gossiped. It is also typical to vocalise these feelings leading to others to also start to distrust the type of people who hold such information.
In the case of a data breach, such word of mouth effects can be extremely damaging to the bottom line but are relatively easy to counteract with data policies that emphasise transparency and control. For example, Martin, Borah & Palmatier, calculated that if Citigroup had had such a privacy policy in place at the time of their recent data breaches their losses could have been reduced dramatically.
In summary
Organisations have got quite good at “surviving” operational disruptions by employing business continuity and disaster recovery capabilities. Likewise, they have become fairly proficient at preventing the likelihood of cyber-attacks with security measures.
However, information is now arguably the new corporate battleground and competitors, who are often are illegal, are upping their game. The impact of a successful cyber-attack is now very rarely simply an operational disruption but a full-blown strategic shockwave impacting not simply the organisation in question but the whole industry that surrounds it. However, there are some simple behavioural changes that an organisation can take right now that will minimise both the impact and likelihood of an attack.
By Dr Sandra Bell, who is Head of Resilience Consulting at Sungard Availability Services.
See more stories here.
More information about Irish Tech News and the Business Showcase
FYI the ROI for you is => Irish Tech News now gets over 1.5 million monthly views, and up to 900k monthly unique visitors, from over 160 countries. We have over 860,000 relevant followers on Twitter on our various accounts & were recently described as Ireland’s leading online tech news site and Ireland’s answer to TechCrunch, so we can offer you a good audience!
Since introducing desktop notifications a short time ago, which notify readers directly in their browser of new articles being published, over 16000 people have now signed up to receive them ensuring they are instantly kept up to date on all our latest content. Desktop notifications offer a unique method of serving content directly to verified readers and bypass the issue of content getting lost in people’s crowded news feeds.
Drop us a line if you want to be featured, guest post, suggest a possible interview, or just let us know what you would like to see more of in our future articles. We’re always open to new and interesting suggestions for informative and different articles. Contact us, by email, twitter or whatever social media works for you and hopefully we can share your story too and reach our global audience.
Irish Tech News
If you would like to have your company featured in the Irish Tech News Business Showcase, get in contact with us at [email protected] or on Twitter: @SimonCocking
More about Irish Tech News
Irish Tech News are Ireland’s No. 1 Online Tech Publication and often Ireland’s No.1 Tech Podcast too.
You can find hundreds of fantastic previous episodes and subscribe using whatever platform you like via our Anchor.fm page here: https://anchor.fm/irish-tech-news
If you’d like to be featured in an upcoming Podcast email us at [email protected] now to discuss.
Irish Tech News have a range of services available to help promote your business. Why not drop us a line at [email protected] now to find out more about how we can help you reach our audience.
You can also find and follow us on Twitter, LinkedIn, Facebook, Instagram, TikTok and Snapchat.