Last week saw the release of a report which showed that the UK topped the list of nations being on the receiving end of malicious cyber activity.Cue dramatic headlines in the media.
But what does all this mean? Increasingly large data points relating to malign Cyber activity and financial loss get produced and communicated regularly through various channels and fall onto a largely unresponsive audience, whose unresponsiveness then generates yet more data points of huge proportions wrapped up in words like "cyber-attack", "criminal cyber war" "Cyber warfare'
In many cases, the message is being pumped into an audience where genuine understanding of what cyber risk is (and equally importantly isn't) is still formative. So generic data points so huge as to make one's eyes bleed generally fall on stony ground because the audience is unclear of how the points relate to them.
There is an increased scepticism of an IT and information security industry, which over the last decade has generally made no meaningful attempts to simplify understanding of the risks. It has also been accused of blatantly using scary language in order to sell increasingly expensive services and equipment that the client doesn't know whether they need or not.
The result is continued scepticism and/or confusion. There is distraction through scrutinising/discrediting the specific figures quoted rather than the underlying message. Then there is boredom because it is meaningless and scaremongering. So the growing risk continues to go untreated and the on-line/technically enabled environment is not as safe as it could be.
Let’s push through the news headlines and look at the facts:
- Malicious activity on-line is growing a lot and comes through new routes that are not currently familiar to everyone
- It’s an easy threat and risk to understand, even for non-technical people when the message is delivered with the intention to explain and not to exploit.
- With the right knowledge it can be managed proportionately as with all other risks
- Not all cyber risks and threats apply to everyone.
- Appropriate protection and mitigation need not be as expensive as it is portrayed
- Most Cyber "attacks" would be described as theft, blackmail, vandalism or anti-social behaviour if reported in the non-Cyber world.
- A smaller number would be described as state or industrial espionage, political activism, military reconnaissance or manifestations of inter-state tension.
- Fewer still would be described as terrorist planning or attack (we got there eventually) or state projection of power
- And finally there are acts of war (here's the other word) or military activity.
- Regardless of the category, it is done by exploiting human, physical and technical weaknesses.
Sounds a bit like the real world, doesn't it?
The cyber threat is growing because unlike the old world, it’s cheaper, and faster. Perpetrators can commit criminal acts simultaneously and globally without leaving their homes. They are more comfortable operating in the "cyber" environment than their victims and they are unlikely to get caught. In many cases the virtual world in which they operate, psychologically lowers the judgement bar of "right and wrong". And finally, because of the nature of their activity, the victim often gets punished by fines and other costs for not being good enough at stopping it.
"My greatest joy in this job is seeing the palpable relief of clients when they've had the threats and risks, as they apply to them, explained so they can confidently and proportionately invest where they need to. Some governments and large companies spend millions, some SMEs spend low hundreds, but they know why and what risks they are managing through their own informed decision," said Brian Lord, Managing Director of Cyber and Technology at PGI Cyber.
Businesses can protect themselves despite what the news headlines say.
Seek the advice of the professionals at PGI Cyber and spend only the right amount of money on the right things in the right order.