Why don't we take cybersecurity seriously?
Roger Smith
3 x author on securing #nonprofits, #SMEs, Associations and Charities from cyber events using enhance #cybersecurity concepts. Start now, do the self assessment and get your baseline!
In the never ending battle of good against bad, the good guys have a distinct disadvantage. The good guys, you and me, we have to play by the rules!
When it comes to the digital world we have a serious problem.
The bad guys are getting organised. So organised that they run their organisations better than some big business. So organised that the dark web is being taken over by what appears to be criminal entrepreneurs.
They use the dark web to set up systems that make them money automatically.
They have automatic malware development kits that anyone can use, for a price! They have a business model like normal business, a business model based on pay as you go. They have service level agreements, bullet proof hosting and malware development. Monthly fee, no problems.
There is a difference, they communicate and interact better than most people and organisations. For a group of perceived geeks and nerds, they can really talk.
Among all of this we have the general punter.
Mum and dad doing email and online shopping, kids doing their homework. Small and medium business, large enterprise and government departments, all have the self destructive attitude of why!
Why would they target me?
I have nothing worth stealing, we have nothing of value
To tell you the truth, I am so sick of hearing that. We definitely need a wake up call.
In 2013 it was Target, in 2014 it was Sony pictures, in 2015 it was hacking team and this year, just recently it was Dropbox. That doesn't include government breaches and there have been a serious number of them as well.
We still hear, it will not happen to me.
How many people have this attitude? Way too many! From personal experience I would say a good 80 - 90% of the digital population. How did I derive at that number you ask!
A number of reasons have got me to that number.
We run a small managed services company. Our clients are small and medium business and not for profit organisation. Our service is to make sure that their computer systems are working correctly so that they can focus on core business.
That is relatively easy, it is a tangible product. You can touch, see, hear and feel what we are talking about.
Now try to discuss business security. That's when we hear all of the illogical reasons. All of those mentioned before. From CEO's to managers and owners they still have that same attitude (it has improved slightly recently) increasing business security awareness is like pulling teeth.
We offer a free quarterly presentation to all staff on business security. Each one is a 20 minute presentation and covers the fundamentals, the first one really looks at the basics. The others are designed to increase awareness and empower your staff.
This is FREE. No strings attached. No sales, no push, just straight educational value.
You know how many organisations have jump at it when first mentioned? Just one! Out of a hundred clients, only one has accepted this program at face value and taken it on board. Another 15 have accepted it with a little pushing. Selling it to the other 85% well that is interesting.
The other reason is also from experience. I help run a cybersecurity training lab at a well known Australian University.
On the first lab after I have introduced myself I ask the class to stand up and give me 3 pieces of information. Their name, how much do they know about the digital world and what do they expect to get out of the course. This semester, 160 students, question 2, invariably "not much" or "I only use it for assignments".
These are the digital natives.
These are the people over the last 20 years who have been bought up with one foot if not two in the digital world. They have absolutely no understanding of digital security. They only see what they want to see.
They see what is on the screen. What they type, slide or click to access.
This world that they see, it is 5% of what is really happening.
I think we are failing in our attempts to protect people. We have to teach them the basics, the fundamentals.
Stop taking our personal attitude into the digital world.
This glorified "trust everyone and everything" has to stop. The sooner we "TRUST NO-ONE" the better for everyone.
CEO/Founder @ Screenopolis & Zenaciti | Author of "The Founder's User Manual"
6yI disagree. "Trust no one" is ineffective. I believe this is condescending to people. It is this indignant attitude that makes people dislike security practitioners. A more constructive approach is "Trust but Verify." Assume people have good intent until proven otherwise. Collaborate rather than scold. Calling young people names only makes them dislike you and reject whatever you are saying, regardless of how "correct" it is.
"it hasnt happened before we dont need to worry about it"
CTO Internet 2.0 | Director & Boardmember (US) | Cybersecurity & Technology Expert | Machine Learning & Neural Network Specialist | Financial Institutions & Critical Infrastructure | Solution Architect | CISSP ☕
7yThis article makes several good points – worth a read!
Executive Director at KordaMentha | Cybersecurity Risk Management Professional | Risk Management Professional | Privacy Practitioner | Expert Evidence
7yCyber security is like a pest control. Most people don't admit it, but they probably havea few cockroaches crawling around. Some people may have mice. Some people may have rats or possums. However, only once the problem becomes apparent and/or unbearable do they do something about it and call the experts in, who then need to charge copiously to deal with a problem that could have been mitigated had people been more proactive.
Senior Member IEEE
7yThe majority of breaches have few, if any, serious consequences and many of them never become public so reputational damage is zero. This may change if the mandatory reporting regulations get through the Australian parliament this sitting, so a glimmer of hope there. The 'digital natives' are also living a 'no consequences' dream where the cost of most compromises is covered by financial institutions who have done their sums and figured that they are still way ahead even with these outlays. Just keep on using the cards and they keep on taking their substantial slice. Even at the rarefied institutional level peopled by 'digital strategists' there is appalling lack of knowledge and, more importantly, often a lack of care for their customers as they force flawed technology - think email - onto them. It's cheap, it's easy because it can be outsourced, and they don't have to live with the consequences. The bad guys just ride on the back of all this, laughing all the way to the bank...who is probably also making a fat profit on this side of the equation as well.