In this current climate, it would be reasonable to believe that we are all identifying and considering the risks associated with operating online and the importance of self ‘cyber’ defence. However, we are still hearing business owners, MDs, and CEOs say, “It’ll never happen to me”.
With cybercrime on the increase why are we still so bad at analysing the risks to our lives and our businesses?
Risk Management – the oldest profession
When the earliest caveman (or woman) stepped out of the cave, the likelihood is that they were confronted by a large animal, covered in fur, with very long shiny teeth. The second caveman (or woman) who stepped out will have heard the screams, and now sees the danger from this large animal, covered in fur with very long (and bloody) teeth. They learnt that assessing the danger to them was vitally important. Assessing risk isn’t just psychological; it’s biological. It’s innate within all of us.
For example, most people will likely refuse to eat or feel less hungry when faced with food which is black. This is because it looks ‘off’ and may be diseased. We haven’t learnt this through nurture, nature tells us not to try this food for fear of falling ill or worse. Did you know that if you’re looking to lose weight, eat off a plate which is black or dark blue and your appetite will be diminished, as a result you will eat less!
We have been surrounded by risks since the dawn of time, and we constantly have to assess the risks we face so that we can survive and thrive but therein lies a problem. If we analysed every action we took then we would never get out of bed in the morning! Our brains are constantly assessing risks even without our knowledge, and our brains are taking short cuts!
At one of our ‘CyberNatter’ events, we discussed this with Psychotherapist and CyberTrauma specialist Catherine Knibbs, where she gave us a great example of how this works. “When we wake and put our feet on the floor, our brains ‘could’ assess the risks associated with this action; What if something bites me? What if I twist my ankle when I put my foot down? What if the floor isn’t there?! We couldn’t operate in life if we assessed everything. So our brains take a shortcut and in a nanosecond will come to the conclusion that based on previous experience, everything will be fine when you get out of bed and put your foot on the floor.”
Your perception is your reality
In ‘risk management’, we hear the term ‘risk perception’ quite often and it relates to the judgement that people make about the characteristics and severity of a risk. The problem with this judgement is that quite often, it is subjective and not objective. Meaning that it is a highly personalised and individualised assessment of what is and isn’t a risk, how likely the risk will turn into reality and what the impact would be.
In the case of our cave dwellers, getting this risk assessment wrong was quite literary a life-or-death decision. Thankfully most of us don’t carry this heavy burden (although of course many professions still do).
How we perceive risks isn’t just dependent on biology and evolution, of course. Experience, knowledge and training all play their part in helping us understand the world around us and the risks that are ever-present.
Risk perception is a fascinating topic and highly individualised. Some people are risk-takers, and others are risk-averse. Some people will happily take a short drive to jump out of a plane with a parachute, and others have a fear of flying, yet drive hundreds of miles to the airport. In this situation, what is and isn’t risky depends on your personal risk profile.
This brings us to a problem and the purpose of this blog. Our risk perceptions need to evolve. In fact, we need to change our approach to risk and stop using the term risk perception because how you perceive risk is focused on your subjective view of it, i.e. your personal and often prejudiced view of how likely the risk will occur and what the impact is.
This is why MD’s, business owners and CEOs will often state, “The risk of cyber attack isn’t relevant to us” believing that as it hasn’t happened before or they don’t know anyone it has happened to, the risk is seen as some remote event that just isn’t worth worrying about. Their brains are helping them by giving them a shortcut to the “Don’t-worry-about-that risk. Worry-about-this-risk” outcome.
Knowing this, we as Cybersecurity specialists need to change our approach. We keep on telling people to do things like this;
- Have a Security policy – Use unique passwords and ensure everyone uses them
- Use Encryption – Encryption is available on laptops and mobile phones/devices – use it!
- Keep systems and services updated – Update Anti-virus, Firewalls, people(!)
- Review Datacentres – Visit them, or speak with them often
- Have a BC plan – Telling you what to do and who to talk to if the worst should happen
Before we deliver this kind of advice, perhaps we should start by clearly examining and understanding what the risks are.
Understand your risk landscape
The first step to improving cybersecurity is to change how we assess the risks associated with it. We need to understand the risk landscape and what risks there are for the sector you’re in, and specific to your business.
Looking at ISO 27001, the international standard for Information Security Management Systems, we know that there is a requirement for Risk Assessments to be carried out. This is because the standard is risk-based, meaning that you need to understand your environment and what risks specifically apply to you.
If you’re struggling to carry out a risk assessment, you could consider using ISO 27005:2018, the Risk Management Standard, which helps you to structure your risk assessment process, specifically for the benefit of ISO 27001.
Understanding and analysing risks is not easy, especially when you’re trying to do this yourself; this is why it’s often better to have an objective analysis and assessment by a third party. This is one of the reasons companies come to Cyberfort so that we can help them see the things that they can’t. We are effectively taking them from being risk ‘blind’ to risk-aware.
By understanding your risks, you can decide how you would like to treat them, turning a blind eye is not an option and when it comes to Cybersecurity, ignorance is NOT bliss. It’s dangerous.