Ho do we convince people that don’t know enough to make an educated decision? If we trick them into making the right decision is that ok?
Cybersecurity is not obvious to the regular person (or the minimal IT educated CxO).
What do the three pictures above have in common? Anonymous, local hacker, and criminal hacker from Eastern Europe.
All 3 are hackers that for one reason or another are attacking your systems. And due to the wonders of the Internet not only are you subjected to attacks by US hackers, but also Chinese, East Europe(Russia, Ukraine & more) and many other countries where there is lax or corruptible law enforcement.
So maybe you thought that the sophistication of hackers are in the top 2 pictures (local and cause based hackers) that do not have a level of sophistication which the bottom one does.
Now we are connected to all hackers in the world including the ones that have made a significant living making attacks ever more sophisticated.
Think about this for a second: The hackers are also drawing up plans next year and the Criminal organizations are looking to recruit new hackers and create more attacks since they want to “make” more money than this year2016.
So, let’s assume you agree that it is important to do more in Cybersecurity next year than this year.
How do we do this? We have to try something new, a new method which sort of tricks the decision maker or the user into making more secure decisions.
Well, we have to review the Psychology of Security first: Last Week post which says the security decision maker wants to take the risk of not doing anything (in the hope that nothing happens). As most of us are willing to risk the potential bad day from a hacker, I mean what is the worst that could happen?
We can go down the list of companies that have used this bad decision making in the past like
- Home Depot
- Government OPM office
- Healthcare records (Georgia Blue cross Blue Shield)
#7 is a story about a hacker which stole 400,000 health records and will potentially make $682k in ransom money.
If your budget and thoughts are to keep everything the same – then you are inviting a disaster that will make whatever your hopes of “nothing will happen” be bad feeling in your stomach when you first hear the bad news.
So how do we do it?
How can we explain against the grain of ‘I’m not worried’?
Do we make the bad potential seem worse? It seems to me that does not work – it is just more Screaming in the wind.
We have to incrementally increase things – explain 1 item at a time.
Let’s patch the systems first on time (if you are not doing this already).
Here is where we have to use compliance of different standards (depending on your industry) to make your security better in 2017.
What if there is no “have to have” compliance standard?
Then you can always pull the old ISO 27001
Mr decisionmaker… We should be ISO 27001 compliant or at least start to move to it so that we can have a competitive advantage versus our competitors.
Contact me if you need help with this strategy.