How to win the cyber war
This article was first published on LinkedIn. Subscribe to Rupert Lee-Browne's 'Future of Payments' newsletter to read his articles as soon as they are published.
Here’s something that won’t come as a shock to any of us: the bad guys aren’t going away. When talking about cybersecurity, bad actors have unlimited patience to test, test, test your security systems. And the worst part may be that you have to win every day, but they only have to win once.
Cyber criminals are becoming richer and more sophisticated, giving them access to wider resources. There are already criminals out there providing CaaS – Crime as a Service. And they’re working hard at breaking all the systems we use. The most recent victim to this is two-factor authentication. What we’ve considered safe so far has in fact been spoofed, and can no longer be relied upon to keep us safe.
So let’s start with the premise that you and your company ARE at risk and you NEED to do something about it. There are various issues here – the risks range from data theft to systems destruction via ransomware and basic online fraud. And the methodologies are many and varied. So where to start?
Whose job is it?
It’s easy to say that it’s a board’s job to manage the risk of cyber security. It’s even easier still to say that it is entirely the Chief Information Security Officer’s (CISO) or the CTO’s role to carry the weight of responsibility – and of course the blame when things go wrong.
The biggest issue with this is communication between different players. Does the board understand the language the CISO/CTO/CIO is using? Do they indeed understand the very real risks the company is facing? And on the other end, does the CISO/CTO/CIO have enough pull in the organisation to effect that change as quickly as needed?
The simplistic answer is that it’s the whole company’s responsibility. The C-suite and board can effect change across the business to a certain extent, and they need to do their part to understand the risks to the business. If you don’t understand the gravity of the threat, you may not give it the attention it needs. So it’s important to me, and I’d say to anyone in my position – to make a real effort to understand what this means. You may not be an engineer, but you need to understand what your CTO is telling you.
Culture Club
When you get down to it, it is much more nuanced than “it’s this person’s job” or “it’s that person’s job”. It is a question of culture that determines how an organisation behaves. Cultures can be toxic or sublime, and every business of more than two people will have its own culture.
It’s a way of going about things, the sorts of people it recruits, the language it uses – it’s all the unwritten club-like thinking and doing that is key. And as important it is for your C-suite to live and breathe that culture, it is all the more important how that’s communicated and embedded on all levels of your organisation.
Culture eats strategy for breakfast
So if it’s about cybersecurity, why am I banging on about culture? Because at the end of the day, you can have the most sophisticated systems on the planet, but they’re being operated by people. And people come with a big, built-in security flaw. People, by virtue of wanting to form connections, are susceptible to social engineering. So when those cyber criminals fail to break down your security systems through a DDOS attack, the next step will be to attack your people.
Luckily, by the very nature of our built-in flaw, it also comes with its own solution. Creating the right culture around security means that your people aren’t drawn in by social engineering attempts, because they’re already embedded in your culture. If you can make sure that your culture includes that understanding of cybersecurity and the importance of staying alert, you’re one step closer to being a truly secure organisation.
At Caxton, cyber security awareness starts from day one. I’m always one of the first people our new hires meet. And I’ll tell them that the single most important thing they can do for us is stay alert. Invariably, what will happen is that a few weeks into the job, a cyber criminal will get access to their details, and they’ll receive a Whatsapp message that looks something like this:
“Hello, it’s Ruperrt Lee Brown. Im in importnat meeting and need your help. Pls urgently send funds to [details redacted]”
And it’s not always that easy to spot, unfortunately. But as long as we keep hammering home the message, we can ensure that culture and technology work together to keep our information – and more importantly, our clients’ information – safe and secure.