Let's look for answers beyond the clickbait headlines about cyber breaches
Welcome to the first of what will be a regular series of Tech Blog posts from me on the world of cybersecurity.
There is already an overwhelming amount of news about cyber attacks and breaches almost daily, so I'm keen to start something a little different. If you look at most of the news feeds on breaches they're pretty doom and gloom.
On the whole, most breaches occur because the bad guys successfully tried something that worked. They exploited a vulnerability in a system, whether that vulnerability is a human, a process or technology. Unfortunately following any breach the press then has a field day with a hugely negative spin because "MAJOR BREACH" is excellent clickbait.
Let's start with the core of that negative spin. Breaches are bad, and they do negatively affect the victims. So I want to stop for a second and consider the victims of cyberattacks. Let us compare the digital world with the physical world. If you get physically attacked on the streets, then you are a victim. For you, there is victim support, and there will be help and sympathy. With physical crime the bad guys are bad, and you, the victim, are the aggrieved party. But it appears that this is not so in the digital realm, unfortunately.
Who's really to blame?
In the digital realm if you are breached then it's seemingly your fault. Not just in NZ, but globally, when we read about a breach, suddenly the CEO of the hacked organisation is up in front of a camera, not as a victim to be supported but to apologise for being breached. Surely they are the victim of a crime too. There is only one party that we should be hounding, and only one party apologising, and they are the criminals initiating the attacks.
You may say that this is fair, though. The background reasoning is that corporates and big businesses are woefully under-spending on their IT security, and are being reckless with our privacy and data. Therefore when they're breached it's obviously their fault for being too weak in their defences.
This brings me to "risk acceptance". In every business, agency, organisation and even our personal lives, we balance risk continuously. What is the risk and cost of doing something, versus the risk and cost of doing something else, versus the risk and cost of doing nothing?
Whether we are crossing the road, making an investment, or getting on that plane, we assess risk all day long. Businesses do the same, whether it be to hire that person, start that project, build that product, enter that new market.
I've been the CEO of five tech companies now, and I've always said "every dollar has already been spent six ways". Meaning for every dollar you have in the company there are many ways to spend it, all competing with each other for priority. Cybersecurity is one of them. Do you spend the money tightening your company's defences, or perhaps accept the risk of some system vulnerability?
People lose out
As we see in the news and with public opinion, security and privacy breaches have had a stratospherical leap in priority and importance. Why? Because when businesses and governments get breached, it is the people that lose out. We lose our data and privacy. I remember when I founded Aura InfoSec in 2005, we'd look at breaches where credit cards and passwords were the high-value assets. However, what's the first thing you do if your credit card or password is lost? You change it.
What if your private photos, health-record, or personal information is lost? You cannot reset and change that, it's part of you. Then of course as we race headlong into the Internet of Things (IoT) and the smart device era, then the breaches of the future will not be just data related, they will impact the physical world, and we're seeing this already. Breaches will open doors, stop cars, stop the power, and eventually take lives.
So perhaps people getting grumpy with weak security isn't so bad after all.
It says that society is realising that the value of the digital realm is catching up with the value of the physical realm. I was at a conference in Washington DC several years ago when John O. Brennan, the former Director of the CIA said, "we have entered an era where more human interaction occurs in the digital world than the physical world".
So my message to all companies and government agencies out there is that when it comes to cybersecurity "the cost of doing nothing is getting more expensive by the day". Information security, privacy, system security and availability are becoming critical to society and therefore the priority and the budgets need to be commensurate.
So this blog won't be throwing stones at those getting breached. Instead, I'll be hunting around for ideas, solutions, innovative Kiwi tech companies, new services that aim to help alleviate and fix some of the cyber-security debt we have today, and believe me there is a lot of technical debt out there.
All businesses need to do is to re-prioritise the risks and budgets accordingly and to have an appetite to consume some of the epic innovations that we have in NZ.
Andy Prow is the founder of Wellington-based cybersecurity company RedShield, which has operations in New Zealand, Australia, the United States and the United Kingdom. He is a board member of the NZITF (New Zealand Internet Taskforce).
You must be logged in in order to post comments. Log In