Why your organisation’s cybersecurity practice is not all you had hoped for
If you have ever wondered why the cost of cybercrime continues to rise each year despite increased spending on cybersecurity or if you have ever wondered why, despite newer technologies being added to the mix, the likes of ransomware attacks like WannaCry back in May and now the new variant of Petya of June, this year are bringing large organisations to their knees it is because of one tiny problem that was made back at the dawn of the e-commerce era and has ballooned into the pandemic of the 21st century – cybercrime.
When the likes of eBay, Amazon and PayPal demonstrated that the Internet was more than just a repository of information, but an “always open” business enabler, crime went online. The executives and directors at that time assumed that IT would be able to solve this problem. It did what it knew best, to tackle any problem with technology. This appeared to work for a period, but cybercriminals adapted their techniques to outsmart the technology.
Inevitably, threat prevention technology started to decline in its usefulness and this left IT unprepared for the onslaught of rapidly evolving cyber threats headed their way and forced them to be reactive and spontaneous in their pursuit to thwart cybercriminals. By 2010, it was clear that threat prevention using technologies such as intrusion prevention and anti-malware was a lost cause simply due to the sheer volume, variety and velocity of cyber threats. This too meant that the ability for IT to be strategic was lost to being consumed in the day to day tactics of looking for threats that were now manifesting as attacks within their organisation.
With no strategy in place and haphazardly recovering from cyber breaches that had occurred for those attacks which were not able to be detected, this saw the value of IT, as a force against cybercriminals, diminish in the organisation.
But, this should be expected given that IT was never meant to be accountable for combating cybercrime and the ultimate defence against cybercrime was never meant to be cybersecurity.
Let me explain.
If from the beginning, when cybercrime began to rear its ugly head, the board of directors had taken accountability, made executives responsible, and enabled everyone in the organisation to play a support role, with IT taking the lead support role, this would have fostered a collaborative effort in understanding the most critical assets to the organisation and the vulnerabilities in those assets; what threats these would be exposed to and how to predict and prevent those threats; for those that progressed to attacks, how to detect and respond to these; for those that then progressed to breaches, how to recover from these and finally an understanding of the impacts to the organisation when breaches occurred.
This would have provided not only risk reduction, but gains in operational efficiency, a return on investment and inevitably, a competitive advantage. This practice would have been called cyber resilience, and unlike cybersecurity which is centred around the concept of threat prevention given that security, by definition, is the practice of being free from threats, cyber resilience would have enabled organisations to be prepared for the next cyber threat and to proactively adapt as required when that threat progressed to an attack and, in some cases, a breach.
It’s time to correct that error from the early days of e-commerce and make directors accountable so that cyber resilience can help your organisation beat the rising cost of cybercrime.
Andrew is the CEO of The Security Artist, an Australian based but global reaching boutique management consultancy that specialises in helping company executives and directors beat the rising cost of cybercrime. He is a much respected public speaker, a cybercrime expert frequently featured on radio and the author of The Cyber Intelligent Executive and Cyber Intelligent Director and coauthor of Adapt or Die, books all aimed at educating company executives and directors to help them understand that 70% of the cybercrime problem falls outside the areas of interest and capability of IT and how they can solve that issue.
