Hardly a day goes by without some company reporting either a breach in their systems or a loss of confidential data. It doesn’t just happen to small businesses. Giants like Facebook and Google have also been in the news for all the wrong reasons. You would think that in the midst of all the negative coverage, organisations would start to pay more attention to their cybersecurity. They do, but it’s never been that straightforward, of course. Cybersecurity is a wonderful ideal, but there are too many ways that cybersecurity can trip up an organisation.
Cybersecurity is a double-edged sword. Too enthusiastic an approach might lead to slower adoption of new technologies, and stifle new innovations in cloud, mobile capabilities and the ubiquitous Internet of Things.
Fierce Controls- Because They’re Easy?
Organisations apply excessive controls because it is the easiest decision to make. Put up enough walls in the corporate cyberspace, and attackers will not even bother trying to enter. That’s wishful thinking. Malicious hackers will always stay one step ahead of corporate entities because they are not bound by law. What’s worse, however, is that the initial problem that triggered the control is not addressed at all. The problem- when couched in business terms- is rarely Not Enough Cybersecurity. They are usually phrased like this:
- Why can’t I send a confidential file to a colleague working in another department without zipping it with a convoluted password?
- Why do I need to submit the same personal information to two different systems?
- Must I change my password every sixty days?
Security fatigue sets in. Cynicism grows and the overall productivity of frontline staff takes a massive hit. For both the company and its beleaguered employees, this is a dangerous zone to be in. Why? Workers begin to think about workarounds.
Here’s a familiar scenario. Say you are not able to send a confidential file through the corporate email either because the company frowns on such a practice, or the file is simply too large, what would you end up doing? Most people would immediately turn to external options like instant messaging or online storage services without batting an eyelid.
A New Approach
Companies must expect these behaviours. Though a large chunk of the cybersecurity pie is taken up by controls that can be delivered by both technical and policy means, a rapidly growing chunk is occupied by simple human behaviour. This must be met by a strategic approach to awareness and training that:
- Recognises the individual as a digital native. This forces the company to expect that its employees are comfortable with diverse devices, forms of technology, and the capabilities of apps. More importantly, individuals are perfectly willing to exploit their digital literacy to enhance not only their personal lives, but their workplace duties as well.
- Focuses on teaching people the correct set of actions to perform duties in a secure manner, until it becomes a kind of muscle memory. This requires the company to adopt role-based education programmes because in large organisations, different groups of personnel manage different processes, data and risks.
- Emphasises the methods and risk of social engineering attacks, which have become the most common type of cyberattack. It is not a coincidence that social engineering attacks take advantage of natural human behaviour. Hence, it is vital for companies to help their employees gain a defensive instinct against cyberattacks that might not only occur through office computers, but also personal devices like mobile phones, tablets and laptops.
I’d argue that the end goal is not cybersecurity for its own sake, but for promoting Digital Resilience. At its core, Digital Resilience is anchored on three pillars: security, efficiency and agility.
While traditional cybersecurity measures are similar to antibiotics that are administered after a so-called infection, Digital Resilience instead aims to preempt threats by being, first and foremost, a powerful immunisation shot. It pays attention to endpoint security- the usage of any computing device for performing any kind of transaction– thereby moving away from perimeter defence to a more thorough understanding of data and data context.