AdobeStock_177663387.jpeg
  • Thomas Jreige

"I know" vs "I WANT to know"

Cyber Security Fatigue - on the road to DIGITAL BLISS





Plato once said, “Opinions are nothing more than the medium between truth and complete ignorance”. This is where cyber security has now gone. We are told we have what we need and yet we are still being compromised.



I am a Physicist, Security Expert, Tactical Strategist and Thought Leader. But enough about me.


Cyber Cerberus is a Consulting and Advisory organisation that is all about making complex Cyber Security Simple and Compelling, and the aim of this article is to show you why this is absolutely necessary.


Cyber Security has become a complex animal. There are tools, processes and even more tools to install in our digital environment. The government, vendors, IT providers (and the like) all tell you to install multi factor authentication, patch your systems, and do security awareness training etc, yet we are still getting HACKED. In the last 6 months there have been two (2) compromises reported in the finance and real estate sectors. One of these events has led to Australia’s first legal precedent, with an ASIC lawsuit against an organisation for $750,000, due to negligence in maintaining good Cyber Security.


So, it begs the question, if we have everything we need (supposedly) and we are still getting HACKED, what is going wrong? The answer is simple. I know you want to keep reading!…….


Optimism Bias


How many of you who are reading this article have children/teenagers or younger siblings, or maybe even you yourself - who use the phrase “I KNOW” (insert eyeroll here) as a default response to avoid dealing with a real problem. We are all guilty of this at some time or another.


Optimism Bias is just this. “A cognitive bias that causes someone to believe that they themselves are less likely to experience a negative event.” This is one of the most fundamental problems with cyber security now. We generate opinions based on click-bait, the media, and other sources of information and many of these opinions have been made based on individuals whose agenda is to sell, sell, sell. We have been bombarded with so much information from the media, product vendors, IT providers and everyone else under the sun trying to tell us how to do cyber security, that it has all become white noise.


We are automatically being provided with solutions, without the real problem being defined. Most people are not experts in cyber security to be able to make informed decisions, yet they are being forced to make them every day. and with that, choose to bury their head in the sand instead of being open to growth. We are dealing with the mindset problem of:


“it will never happen to me”

“our organisation isn’t big enough to be targeted”

“our information isn’t worth much”


So, it is easier to say, “I know” than it is to say, “I didn’t know that, tell me more”.


You don’t actually believe (or understand) the true value of the information in your organisation. You are targeted for exactly that reason. You hold information like any other organisation, you process it like any other organisation yet you don’t have the security budget, nor the appropriate advice and/or knowledge, to protect it within the context of your organisation. And to add to the anxiety of all of this:


“We are all compromised!”.


It is not a matter of if, but when. You have provided the keys of the kingdom to your supply chain. So, you are having to rely on and trust more than one set of entities to look after your systems, information and what’s more, your livelihoods.


However, all is not lost. A shift in mindset, and having your own Cerberus for the organisation, you can take back control of your assets. Bear in mind, as a Director and owner of an organisation, you are responsible and legally liable for all information regardless of who you provide it to for processing, transmission and storage e.g. your IT provider, your accountant, your HR company, your logistics company etc. It is your data at the end of the day the supply chain only enhances your organisation, not takes ownership for the data.


We follow a simple process at the start to help an organisation understand their risk posture. This is called a Threat & Risk Assessment. Our Threat & Risk Assessments encompass four (4) critical and complete areas of your organisation - Governance, Personnel, Physical Security and Information Security/Tools/Processes.


For every Threat & Risk Assessment, we capture the context of the digital environment, layer by layer, building a firm foundation and understanding of how information flows in and out of your organisation.


We identify the following key items in each layer:


  1. WHAT information or data is at risk?

  2. WHO is going to threaten the organisation?

  3. HOW would they compromise you?

  4. IF compromised, what is the projected cost?


Together, these pieces create a complete picture of the risks your organisation faces, which we use to develop the security and protection outcomes, to then drive your IT provider to implement a solution that protects your assets.


We don’t provide solutions as part of our organisation, but we provide outcomes to complex problem solving. For the purposes of this article, we are going to leave you with three key mantras which will help you reach DIGITAL BLISS:


  1. Get Independent Advice

  2. Zero Trust

  3. Cyber Insurance / Management Liability


Reference:


En.wikipedia.org. 2022. Optimism bias - Wikipedia. [online] Available at: <https://en.wikipedia.org/wiki/Optimism_bias> [Accessed 20 August 2022].