Welcome to the Blog
a great way to get a blend of opinion, fact, debate and entertainment all in one place
532 words, Estimated reading time: about 3 minutes, 45 seconds
When a mechanic tells you that you need to replace the brake pads at a cost of $300 you may balk at this cost to begin with until you realise that compared with the cost of your family member’s lives should you not make the brake pad purchase and the brakes fail.
In this case the cost of inaction is far greater over the longer term that the cost of action. It’s at times like this when we need to put our famous Aussie “she’ll be right, mate” mentality aside and weigh up the real implications of inaction versus action.
This is also true of combating cybercrime. It may be costly, but failing to combat cybercrime is costlier. That’s exactly what is happening today. You are spending money to address the problem but not in ways which can make the greatest impact.
But don’t be alarmed, your organisation is not the only one making this mistake.
For more than two decades the members of our team have worked with thousands of leading brand name companies and government agencies, yet have not witnessed even one organisation get it right until they learned these three fundamental truths we are about to share with you now:
- Cybercriminals don’t care how they get access to your information – it could be rummaging through a garbage bin, breaking into vulnerable technology, or sending emails to gullible people who click on the link and give cybercriminals inadvertent access. Garbage bins, technology and people exist all throughout your organisation so expecting IT to be across all of this is short-sighted. Cybercrime is not an IT problem but a business problem that IT can play a part in.
- Your organisation invests a lot of effort in attempting to prevent cyber threats. This makes a lot of sense. After all, prevention is better than cure. At least that’s what your doctor will tell you. As all resources are focused on threat prevention, which is increasingly failing as threats become more sophisticated, when a threat slips through, it becomes an attack and your organisation’s reactive and sporadic response needs to be replaced with strategic planning for “what if” scenarios.
- You might expect that the ultimate solution to addressing cybercrime is cybersecurity, but security is very limited. In fact, the definition of security is to be free from threats. This is impossible to achieve, and anyone tasked with an unachievable goal has no option but to fail. Your organisation needs to achieve cyber resilience, a state where threats may fail to be prevented from time to time, but the ability to respond to attacks, recover from breaches and mitigate the damage from impacts are key to adapting and achieving resilience even in the face of adversity.
Pictured here is a cyber resilience maturity chart. Cyber resilience is on the right and chances are you are closer to the left. The cost of achieving cyber resilience is far less than the cost of cybercrime if you are vulnerable, reactive or compliant.
If you want to burn through money quickly, then keep to the left, otherwise start working your way to the right and the cost of cybercrime, to your organisation, will plummet.
600 words, Estimated reading time: about 4 minutes, 15 seconds
It is such a horrible way to start out with such a morbid title that includes the word “death”, but you may remember in our previous article, we covered the unfortunate murder of 27 year old Colombian footballer, Andres Escobar, for inadvertently aiming at the wrong goal in the 1994 FIFA World Cup and how your organisation is aiming at the wrong goal when it pursues cyber security.
Fortunately, for most organisations the price to be paid for aiming at cyber security is not death, but in a few cases the death of an organisation has occurred. One well known occurrence in Australia, was the rather sad incident involving Distribute.IT, a web services provider that sustained two targeted attacks in close proximity and ceased trading in June 2011, putting around 4,800 of Distribute.IT’s clients, many of which were small businesses that depended on having a web presence, out of operation virtually overnight. For the owners of Distribute.IT and its impacted clients, this was a truly shocking moment – to be thriving one day, and extinct the next. For medium to large businesses, the penalty is not likely to be so terminal, but operational, reputational and financial impacts could have a severe blow on both last year’s revenue and future revenue.
Furthermore, it is also demoralising to be aiming for the wrong goal. If the outcome can never be achieved, it will create a feeling of self-defeat and drive a lack of motivation to expend any effort on a problem that is gargantuan and unsolvable. Ultimately, this affects staff turnover.
So, it’s time to stop aiming for cyber security, but what should be the goal that your organisation should be chasing?
The goal is cyber resilience. Whilst this may seem more a nuance than a fundamental shift in thinking, it has a profound impact on the way an organisation manages cybercrime.
Resilience is the ability for an ecosystem to either not deviate from its current desirable state; or in circumstances where it has deviated from its current desirable state due to an undesirable event, it is the ability to quickly return to a desirable state. This is often dismissed as many to be business continuity, disaster recovery or crisis management, but that is just a small part of cyber resilience.
Since there are four focus areas on which cyber criminals rely upon to achieve success, this gives us four focus areas for cyber resilience:
- Vulnerabilities – can we prevent all vulnerabilities? No. If we waited for all vulnerabilities to be prevented, we still would not have seen the first piece of software released, nor would we exist. Humans are full of vulnerabilities!
- Threats – again, we can not prevent every threat, but we can be resilient to these by having strong controls in place to deter and prevent cyber criminals. Consider a non IT example such as influenza. To prevent it you would need to wipe out every strain of influenza in existence, but being resilient to it most likely means a balanced diet, exercise and regulated sleep.
- Attacks – like threats, we can not prevent every attack, but being able to quickly detect and respond to attacks is achieved through resilience
- Breaches – like threats, and attacks, we can not prevent every breach, but the ability to quickly confirm a breach has taken place and recover from it is a sign of resilience.
Cyber resilience is reducing the impact that vulnerabilities, threats, attacks, and breaches have on the information upon which your organisation relies and is an attainable goal, unlike cyber security which is predicated on prevention and is continually, and increasingly, failing us.
580 words, Estimated reading time: about 4 minutes
If you are a soccer fan you may recognise who is featured in the above photo and the tragic story that followed. Let me explain for those who do not know what happened next.
The Colombian footballer, who played defence, pictured is Andres Escobar. Up against the United States on June 22, in Colombia’s second match at the 1994 FIFA World Cup, Escobar stretched to prevent a pass from American midfielder John Harkes. His timing was off which resulted in shock to the crowd, Escobar accidentally deflecting the ball into Colombia’s net.
The United States won the game 2–1. The news swept the world with headlines shaming Escobar. He was devastated; Colombia was devastated, but what was truly devastating was what happened next. In low spirits, Escobar returned to Colombia rather than visiting his relatives in Nevada, and on July 1, Escobar joined friends at a bar, liquor store and eventually a nightclub. Shortly after parting ways at around 3am on the morning of July 2, three men approached Escobar whilst he was in his car at the nightclub car park and shot him six times. After each shot, “Gol”, the Spanish word for “goal” was shouted. Escobar died 45 minutes later.
Escobar paid a hefty price for a failed attempt at prevention of his opponent’s goal, which resulted in him inadvertently placing the ball in the wrong goal.
Almost every organisation is “inadvertently placing the ball in the wrong goal” when it comes to thwarting cybercriminals. So what is the wrong goal?
Have you ever met a woman who is half pregnant? You may have met a woman who did not know she was pregnant, but clearly there are two states: pregnant or not pregnant. This is a binary state. Most organisations are chasing a goal of “cybersecurity”, but security is also a binary state. An organisation is either secure or it is not. We associate security with stopping or preventing breaches of confidentiality, integrity, or availability. To be secure means every breach must be stopped. I’ll give you two analogies to let the idea of security being associated with prevention sink in. Would you say that a bank vault is secure after it had been broken into? Would you say that a prison was secure if it was broken out of? The moment prevention fails just once, even though it may have been successful millions of times prior, the concept of security is lost, and you can be sure that prevention will fail in your organisation if it hasn’t already failed at least once already.
Chasing cyber security is the wrong goal. Let’s consider, hypothetically, if you wanted to achieve cybersecurity, what your organisation would need to do:
- The organisation would need to be disconnected from the Internet
- All employees would need to be fired
- All customers would need to go elsewhere to consume whatever goods or services you offer
- All physical and electronic information would need to be destroyed; and
- The memories of anyone who had access to any information about your organisation would need to be erased
Each of those is harsh, and not a business enabling task, but if you are hell-bent on cybersecurity, I really do wish you good luck with the last one!
Security is clearly the wrong goal, but stay tuned. In the next post we will explain what goal your organisation should be aiming for if it wants to put up a good fight against cybercriminals