Risky Business

Date: 1st December 2020

Author: Gary Hibberd

In this current climate, you’d think that more people would appreciate the risks associated with operating online, and the importance of self-(cyber)-defence.

But I am still hearing business owners, MDs, and CEOs state that “It’ll never happen to me”.

When cybercrime has increased by over 600% in the last twelve months, why are we still so bad at analysing the risks to our lives and our businesses?

Risk Management – the oldest profession

When the earliest caveman (or woman) stepped out of the cave, the likelihood is that they were confronted by a large animal, covered in fur, with very long shiny teeth. The second caveman (or woman) who stepped out will have heard the screams, and now sees the danger from this large animal, covered in fur with very long (and bloody) teeth. They learnt that assessing the danger to them was vitally important.  Assessing risk isn’t just psychological; it’s biological. It’s innate within all of us.

For example, most people will likely refuse to eat or feel less hungry when faced with food which is black. This is because it looks ‘off’ and may be diseased. We don’t “know” this, but something in our heads tells us not to try this food for fear of falling ill or worse. (Health tip; If you’re looking to lose weight, eat off a plate which is black or dark blue. Your appetite will be diminished, and you will eat less).

We have been surrounded by risks since the dawn of time, and we constantly have to assess the risks we face so that we can survive and thrive. But therein lies a problem; If we analysed every action we took then we would never get out of bed in the morning! Our brains are constantly assessing risks even without our knowledge, and our brains are taking short cuts!

At one of our recent ‘CyberNatter’ events, we discussed this with Psychotherapist and CyberTrauma specialist Catherine Knibbs, where she gave us a great example of how this works. “When we wake and put our feet on the floor, our brains ‘could’ assess the risks associated with this action; What if something bites me? What if I twist my ankle when I put my foot down? What if the floor isn’t there?! We couldn’t operate in life if we assessed everything. So our brains take a shortcut and in a nanosecond will come to the conclusion that based on previous experience, everything will be fine when you get out of bed and put your foot on the floor.”

Your perception is your reality

In Risk management, we hear the term ‘Risk Perception’ quite often, and it relates to the judgement that people make about the characteristics and severity of a risk. The problem with this judgement is that quite often, it is subjective and not objective. Meaning that it is a highly personalised and individualised assessment of what is and isn’t a risk, how likely the risk will turn into reality and what the impact would be.

In the case of our cave dwellers, getting this risk assessment wrong was quite literary a life-or-death decision. Thankfully most of us don’t carry this heavy burden (although of course many professions still do).

How we perceive risks isn’t just dependent on biology and evolution, of course. Experience, knowledge and training all play their part in helping us understand the world around us and the risks that are ever-present.

If we return to the risks associated with getting out of bed, the likelihood is that most of us don’t give it a second thought; We get up, put on our clothes and shoes without a care in the world. But in certain parts of the world, you would do well to remember to give your boots a shake before putting them on, for fear of a spider or something else sitting in there!  Once you know you should do this, you have become ‘risk-aware’, based on experience (you were bitten before), knowledge (you know someone who had the experience) or training (someone told you to do it). Why do we have this innate fear of spiders? Evolution has taught us that (some) spiders are poisonous and our brains are again helping us, by offering us a short cut. A fear of spiders is an innate fear, and even young children are known to be scared of spiders – even when they have never had any exposure to them; Our perception of the risks posed by spiders is evolutionary and biological.

Cyber Risk

Risk perception is a fascinating topic and highly individualised. Some people are risk-takers, and others are risk-averse. Some people will happily take a short drive to jump out of a plane with a parachute, and others have a fear of flying, yet drive hundreds of miles to the airport. In this situation, what is and isn’t risky depends on your personal risk profile.

But this brings us to a problem, and the purpose of this blog; Our risk perceptions need to evolve. In fact, I believe we need to radically change our approach to risk and stop using the term risk perception. Because how you perceive risk is focused on your subjective view of it; i.e. your personal, and often prejudiced view of how likely the risk will occur and what the impact is.

This is why MD’s, business owners and CEOs will often state that the risk of cyber attack “Won’t happen to us.” Because it hasn’t happened before, they don’t know anyone it has happened to, or no one has explained how it happens in ways they understand. The risk is seen as some remote event that just isn’t worth worrying about. Their brains are helping them by giving them a shortcut to the “Don’t-worry-about-that risk. Worry-about-this-risk” outcome. 

Knowing this, we as Cybersecurity specialists need to change our approach. We keep on telling people to do things like this;

1. Have a Security policy – Use unique passwords and ensure everyone uses them.
2. Use Encryption – Encryption is available on laptops and mobile phones/devices – use it!
3. Keep systems and services updated – Update Anti-virus, Firewalls, people(!)
4. Review Datacentres – Visit them, or speak with them often.
5. Have a BC plan – Telling you what to do and who to talk to if the worst should happen

But before we deliver this kind of advice, perhaps we should start by clearly examining and understanding what the risks are.  

Understand your risk landscape

The first step to improving cybersecurity is to change how we assess the risks associated with it. We need to understand the risk landscape and what risks there are for the sector you’re in, and specific to your business.

Looking at ISO 27001, the international standard for Information Security Management Systems, we know that there is a requirement for Risk Assessments to be carried out. This is because the standard is risk-based, meaning that you need to understand your environment and what risks specifically apply to you.

If you’re struggling to carry out a risk assessment, you could consider using ISO 27005:2018, the Risk Management Standard, which helps you to structure your risk assessment process, specifically for the benefit of ISO 27001. 

Understanding and analysing risks is not easy, especially when you’re trying to do this yourself; this is why it’s often better to have an objective analysis and assessment by a third party. This is one of the reasons companies come to Cyberfort (and me personally), so that I can help them see the things that they can’t.  I am effectively taking them from being risk ‘blind’ to risk-aware.

By understanding your risks, you can decide how you would like to treat them.  But turning a blind eye is not an option, and when it comes to Cybersecurity, ignorance is NOT bliss. It’s dangerous.