Information Security programs have ballooned in terms of scope and effort to protect critical data and preserve the integrity of personal data. However, breach incidents and reports of horrific Ransomware ordeals continue to pepper the news media with infamous regularity.

Why Is This?

There are many contributing factors that, when taken together, become a millstone around the neck of Cyber Risk Management. These factors include:

  • Vulnerability detection and management has become ineffective.
  • No matter how strong your perimeter is, innocent, well-meaning humans can still invite threats.
  • Security policies are often treated with disdain and serve has a template “figurehead” and not as a real business process.
  • Policies are watered down, so they don’t offend employees.
  • Patch management has become almost pandemic in scope.
  • Cyber risk software solutions have grown exponentially, effectively diluting any chance of solving actual problems.
  • Hackers understand security better that most IT departments.
  • Leadership views cyber risk management as a simple budgetary line item and not a part of business culture.
  • Cybersecurity is rolled into overall business risk, which is then mixed into the rest of business risk, and focus becomes lost with no serious support for Cyber Risk Reduction.
  • Everyone looks at their IT department to blame rather than taking their own role seriously.

What can be done?

We have been hearing for years how information security must become ingrained in our daily living. Yet, most give no thought to making their daily information security practices more secure. Many behaviors in the workplace violate established policy, yet, there is no consequence when such violations occur. The consequence does not have to be extreme, perhaps a simple training session is all that is needed, or at least recognition that a violation has occurred.

We have been running automated patching systems for years and yet, unpatched systems continue to be a primary route of exploitation by the malicious. We have run simulated security attack scans for years and either set the results aside or don’t believe the threats are real because they seem so unlikely to occur.

We have been running training programs for years to help educate our user populations about the dangers of click-bait and spear-phishing and yet, humans continue to be a major attack vector for the successful malicious attacker. Leadership continues to see Cyber Risk Management as a bigger threat to the budget rather than a protection against the even bigger drain on the budget were a cyber-attack to succeed.
Organizations are slow to adopt and implement strong Cyber Risk policies that put any burden of security responsibility on their employees. Some feel that stronger policies subject the employee to undue exposure, so they dilute their policies making them less effective and ultimately leave the business under-protected.

Many organizations feel that they should limit the amount of time and effort their people put into Cyber security concerns because it distracts them and reduces their productivity, again, leaving the business under-protected.

Even if we were to conduct an over-simplified audit with only these 3 fundamental steps:
(1.) What employees state, which should match (2.) What are your Policies and Procedures, which should match (3.) What is the Practice… We generally see that those steps are out of alignment.

This indicates that organizations view Cyber Risk, not from the top down, but a bottom up. Policies are simply put in place, but not put into practice. Ultimately, the Employee never understands the policies or even reads them. This lack of alignment increases the overall risk of exposure to breach or compromise.

There is something that can be done…

If you are in a leadership role in your organization, set the example. When your managers see THEIR manager taking information security seriously, they will recognize the priority. Teaching by example has long been established as one of the most effective methods of education.
If you are in a technology role in your organization, keep your focus. It’s easy to put the results of the latest scan on a shelf to worry about it later. When risks are identified don’t belittle the scenario as being too unlikely to be plausible. Most attacks are discovered, scripted and published to the hacking community so that even a child can run the malicious attack against that “implausible weakness”.

If you are in a finance role in your organization, look at the budget with the proper perspective. Sure, Cyber Risk Management is expensive. But it’s nothing compared to the cost of the million-dollar bitcoin ransom you are facing because the budget didn’t allow for sufficient safeguards to be put in place. Not to mention the less tangible “loss of reputation” costs or “client mitigation” costs of paying for credit monitoring for your customers.
If you are a user of data within your organization, don’t look at Cyber Risk management as a painful formality. You handle private data every day. All the corporate security programs your workplace forces on you are for everyone’s protection.

The world is hyper-connected. The threats are real, we hear about them every day. The impact hits everyone, no matter their role. It is important that everyone participate in and embrace Cyber Risk Management.