I hear it from near and far. Covid-19 is the reason that now, many managements in organizations are approving and demanding security in a high paste. What is wrong with this? Well stating the obvious, a Pandemic should not be the reason for us to work strategically with cyber security, little yet security awareness. If I could stand up like Émile Zola, and utter “I accuse,” I would, but I don’t think it would help much. What will then?
Security experts have for decades been standing on the digital barricades, shouting from the top of their lungs pointing out the risks and threats in cyber space. We have pleaded for sustainable security processes, how they can be the salvation for a secure business, and in the long term saves a buck load of money. This pandemic crisis has made one phrase obvious for management, “if you think security cost, try a crisis”. And in an era where what happens in Vegas ends up on YouTube, security and privacy is not for the passive or someone firmly believe the can dodge the economic “bullet” by handling security and privacy as projects rather than fully commit to the process they require. This is if they are dealt with at all.
So, in spite of bad rhetoric’s I accuse management to intentionally having for years been avoiding recognizing the elephant in the room, only to now in the time of crisis start pointing the fingers across the boardroom searching for who to blame. Let’s start with ransomware. Just recently Sophos released a report on this topic (The State of Ransomware 2020) stating that the cost of handling ransomware is close to 710k €. In Sweden this number is close to 2.45 m €. The countermeasures do not cost this amount by far. In fact, the cost of the project dealing whit a ransomware incident fades in comparison to the cost of implementing right procedures and processes to minimize risks, secure infrastructure and security awareness as a process pre-crisis. And the prognosis is that ransomware attacks will escalate rather than the opposite.
But it is more than just ransomware attacks. This crisis has revealed that management have not even planned for a situation like this pandemic. The BCP (Business Continuity Planning) that should act like a beacon in these dark times on how to continue in a crisis shines with its absence, lack of content or simply not communicated little yet understood. You could argue that no one could predict this pandemic and impact. Again, this is not the first time nor the last.
We are in the middle of our times industrial revolution – global digitization – where a state’s borders are replaced by a domain. A digitization we didn’t went to a pole box to vote upon but was inevitable as soon as we invented computers. This digital train cannot be stopped. This digital industrial global revolution is exposing the gold nuggets of our time – personal information.
Businesses has gone from a life expectancy from 75 years to a decennium, two at the most (SAS CEO Jan Carlzon in a lecture 2015). To survive longer than this expectancy you can either get on the train or not. To be on the train you need to understand that the Elephant (i.e. Security and privacy) is a force to not only be recon with but an essential ingredient to survive as you need a mature and structural approach to these matters to protect todays true currency – information and personal information especially.
But not all is bad. A crisis often creates an internal dialogue and an incentive for the processes around cyber and digital security to evolve. Management tend to post crisis invest in security. However, they are often cut short or even halted after a while due the organization deem these security investments as a showstopper for business, the nemesis of the sales process or time-consuming. Three reposts to this:
a) This is only true if security comes last, is the last in every development and/or projects
b) This is only true if you keep on treating security as the elephant in the room or something abstract and
c) this is only true if you hire an expert and tell them what to do instead of doing what they tell you what to do.
Add to this. Incidents will keep on happening Even more so if you discard/forget to raise security awareness whit the purpose of risk reduction throughout your operations as a process. To raise awareness to reduce risk via education is a sure path to not evolving security-wise.
We need to start recognizing the elephant in the room, start to take it seriously. This pandemic and the impact on society up to date have made one thing crystal clear – the landscape of business is forever changed. It poses new challenges in the areas of cyber and digital communications and operations. This new normality and the level of security needed for subjects and business relies solely on how we deal whit the elephant. The risks are different, the threats are different, and the new world is altogether different in surviving not only business wise. We can only make this by pulling together, including the elephant in the process.
Robert Willborg, Junglemap