By Matthew Olney – Communications and Content Executive at PGI (This article was first published in the New Statesman)
On New Year’s Eve 2015, the BBC website was knocked offline. Immediately social media was abuzz with rumours and it wasn’t long before the press got involved. Headlines blamed the so called Islamic State for the attack. In reality, it turned out to be the handiwork of anti IS hacktivists who were testing their capabilities. Either way, the question remains whether a simple piece of temporary on-line vandalism merited the media profile it generated.
People Fear What They Do Not Understand
Cyber is a word that can cause the mind to race. A “Cyber-attack” is as dramatic as whatever an imagination makes it. With the right stimulation, “Cyber-attacks” make good headlines and great scare stories. The best way to tackle the threat posed by cyber criminals is to educate people so that they understand how such attacks occur and in turn learn how to counter them. If we regard cyber crime in a similar context to say burglary, then immediately the threat is normalised.
Every decision we make in our lives - be it conscious or sub-conscious; is based upon some kind of risk assessment. Unless an understanding of the “new Cyber threat” is thorough and widespread, the associated risk will continue to be seen and treated as extraordinary. In the 21st Century, where technology underpins just about every we do and use, this is an unsustainable and unaffordable position.
In business and government worlds this lack of understanding continues to be relentlessly exploited by an IT Security industry who perpetuate the concept of dramatic and increasingly apocalyptic consequences if their new security technology is not adopted. The Industry continues to use the same hi-tech, complicated scare language that they adopted in the run-up to the millennium that burned its credibility and confidence in its integrity.
The real world consequence of this lack of understanding and consumer scepticism is that the take-up of Cyber Security risk management is far slower than it should be. Perhaps, unlike Y2K, there are genuine threats and risks which are, and will continue to be, an inherent and perpetual aspect of adoption of technology. There are always people who will seek to exploit good things for nefarious or criminal means, and technology is no different. But that doesn’t undervalue the huge benefits of adopting technology. Nor does it mean – just like all other security risks - that the threat is anything to disproportionately fear.
For years, law enforcement agencies have educated the public on how to protect their property from would-be thieves and just like conventional crime, there are measures that people and organisations can take to prevent themselves from becoming victims of a cybercrime.
The risks are hugely different depending upon the environment in which they are considered and, again, just like other security risks, proportionate treatment of them for the vast majority, need not be expensive, complicated or anything other than a normal cost of living and operating in the 21st Century. Even those, such as Banks, Defence Industry, some Government Departments and other industries, where the nature of the threat is more complex and higher-impact. Effective risk management need not be any more challenging.