The rampant growth of cybercrime on the Internet is the unforeseen impact of unforeseen risk. The Internet was never designed to be secure.
The result? Every single organization connected to the Internet is targeted by cybercriminals. Some are hit with waves of non-discriminatory commercial mass cybercrime. Others are hit by dedicated, sophisticated teams backed by nation-states or organized crimes. Others are collateral damage.
As a business leader, the challenge in today’s ever-changing environment is learning how to effectively manage cyber risk in the same balanced manner as all other business risks, from the risk of a new disruptive competitor to the risks of strategic mistakes or missed opportunities.
Not a tech problem
According to research by IBM and Ponemom, 95% of the the root cause of a successful cybercrime can be traced back to people. The reasons for this are straightforward, yet they pose a unique challenge for business leaders and security teams.
In our connected world, humans are constantly using a wide variety of devices and applications.
As a result employees, customers and third parties amass data, communications and information on the cloud, devices and applications.
The data, devices and applications become a form of electronic intellectual property and intangible asset which is stored in digital formats across a variety of locations with often inconsistent monitoring, management and risk mitigation.
Cybercriminals develop innovative ways of monetizing electronic intellectual property and intangible assets.
The most common path to stealing or ransoming these electronic assets starts with an employee.
No silver bullets
While investments in security technologies are a prudent step to minimize exposure to cybercrime, the fact is in our connected world human beings cannot be completely secured.
At any given moment on any given day, any employee of any organization can unsuspectingly click a mouse and unleash an inadvertent peril to their organization. Does that mean we disable the use of computing devices? Clearly this is not a realistic risk management strategy given the money organizations have invested and the value that technology creates.
Investments in security technologies are important, however, implementing technology addresses only part of the cyber risk within an organization. What remains unsecured are the choices, behaviours, processes and decisions made by people; often which bypass technology centric security.
For example, if an employee chooses to use the same password for all of their online services (or a simple variation of the same password) they are creating an organizational vulnerability.
Of additional consideration, technology is deployed, managed, used and maintained by people. For this reason, it is also vulnerable to inadvertent misconfigurations, missed patches or in some cases failure of use.
It's far easier to target and manipulate humans than it is systems. Humans are subject to variety of built-in vulnerabilities - fear, anger, curiosity, greed, lust and many more. A cyber unaware or unengaged employee's vulnerabilities can easily be exploited with a simple phishing e-mail.
Or it may be the busy executive who mistakes a phishing email as being legitimate. Or the system administrator targeted via social media interests. Or the middle manager who’s home network was owned and inadvertently brings a cybercriminal into work without a firewall ever knowing about it.
The list goes on and on.
The root cause of the problem is security is typically conceived as a technology construct not a combined function of people, process, culture and technology.
This leads to a fundamental question: How can leaders manage the risk of cybercrime without visibility into a major root cause?
Given the billions cybercriminals are able to siphon from our economy every year, the assumption human beings can be secured via technology alone is clearly false.
To help address the gap measuring, monitoring and managing human-centric cyber risk becomes paramount to reducing the impact of cybercrime on your organization.
Management guru Peter Drucker has been attributed the phrase, “what gets measured gets managed”.
Cybercriminals will target your leaders and your employees. How are you measuring, managing and monitoring that risk?
We can help.
David Shipley is the CEO and co-founder of Beauceron Security Inc. David is a cybersecurity veteran who has spoken at national and global technology and business conferences across North America. David is the former cybersecurity lead at the Univeristy of New Brunswick. He frequently appears in local, regional and national media to talk about technology and cybersecurity issues.