“New year, new you”, lets flip this and look at “New year, new cybersecurity”.
What are some of the assumptions and unconscious biases about cybersecurity that we can pull out and look at?
Do you know what cybersecurity means to the people around you?
Cybersecurity will mean different things to different people.
To an everyday person reading this, it could be protecting email, bank accounts, and Facebook. For an IT professional, it might be about deploying anti-virus software and enforcing Windows updates or other technology solutions. A CEO, CIO, or other senior leader could be thinking about cost/benefit ratios, strategic enablement, and competitive advantage.
None of these views are right or wrong; it just means how you think about cybersecurity may be different from the person next to you.
The two important questions I want you to ask yourself are ‘What does cybersecurity mean to me?’ and ‘What does cybersecurity mean to the people around me?’ because I can guarantee that those around you will have a different understanding. You might be surprised at some of the different meanings and insights you gain by asking these questions.
What are your assumptions about cybersecurity?
When I talk to people about cybersecurity in a business context, there are typically a few things that I hear: ‘We can’t afford that’, ‘Our security team is the house of No’, and my personal favourite: ‘We don’t have anything worth stealing’. Let’s challenge these:
‘We can’t afford that.’
This is a response I normally hear when someone is thinking about cybersecurity from the perspective of technology. They are seeing expensive applications and around-the-clock (24/7/365) monitoring, etc. And yes, for some organisations, that is what cybersecurity looks like. However, just as all people are different, all organisations are different, and what works for one may not work for another.
Improving your cybersecurity can be as simple as moving from a password to a passphrase, implementing multi-factor authentication, updating a process so that any payments over $1000 need to be approved by a second person, or letting staff know that the organisation does not use gift cards for any reason!
These are all small things that any organisation can do that have minimal to zero cost and will help with cybersecurity.
‘Our security team is the house of No.’
Personally, I hate hearing this because I think security teams are helpers, not gatekeepers or spreaders of fear, uncertainty, and doubt. Thankfully this attitude has been changing over the last few years, and I’m hearing this less often.
Cybersecurity teams or professionals typically look at things from a technology perspective. For example, letting staff use ChatGPT is a huge security risk as they could expose confidential information. So, ‘No, staff cannot use ChatGPT!’
Let’s flip this, though, and look at it from a business perspective. By letting staff use ChatGPT, they could get their work done 30 minutes faster each day. That might not sound like much, but if you add it up over a year, it’s almost three weeks’ worth of work!
In this example, a better approach might be: ‘Yes, but we would need to do X, Y, and Z, and the risks are still A, B, and C.’ By taking this approach, the security team can be seen as enabling the organisation to use ChatGPT in a way that mitigates the security risk.
‘We don’t have anything worth stealing.’
Yes, you do have something worth stealing.
Is it worth a hacker’s time to spend 80 hours breaking into a small five-person business? Probably not. But today, most cyber-attacks are automated: a bit of set-up time, then managing attacks on 100 different organisations rather than just one. In this case, yes, it is worth the time, and you will be targeted at some stage. Security professionals often say: ‘When, not if.’
A practical example of this is from the mid-2010s when I spoke to a small business about cybersecurity. They made the statement, ‘We don’t have anything worth stealing.’ I had to pause for a moment and then explain that they had the personal information of thousands, if not tens of thousands, of people… and yes, that is something worth stealing—especially if it’s an automated attack that takes someone five minutes to set up.
The question is: Do you know what your organisation has that is worth stealing? What would be the cost if it did get stolen?
In summary
I view the phrase ‘New year, new you’ as all about introspection—who are you currently? What are the things that you like? What are the things you don’t like? What are the things you want to change? What assumptions do you hold about yourself?
‘New year, new cybersecurity’ is the same. Look at how you view cybersecurity, look at how others view cybersecurity, challenge those assumptions and beliefs you’ve always had, and give yourself space to consider different ideas.