The evolution of cyber security over the years has presented new challenges and vulnerabilities for businesses and organizations. Back in 2000, the Dallas FBI Field Office was just starting to grasp the emerging threat of cyber attacks. With fewer than 25 email addresses, the Cyber Squad was seen by outsiders as “geeks playing with computers.” However, behind the scenes, the United States Intelligence Community recognized the potential harm that could be caused by cyber criminals.
During that time, cyber security was not a primary focus for information technology teams. Their main responsibility was to ensure that technology was available and functioning properly. The concept of a modern-day breach, as we know it now, had not yet been widely deployed. Attacks were mainly limited to defaced web pages and Denial of Service Attacks. These early cyber threats were relatively easy to combat because the good guys always seemed to come up with a solution.
However, as technology became more ubiquitous and integral to our daily lives, the risks associated with cyber security also increased. We now rely on technology for everything from communication and entertainment to banking and financial transactions. This reliance on technology has made us more vulnerable to cyber security risks. Attackers now have two vulnerabilities to exploit – the people and the technology. Even the technology designed to protect us from these risks can sometimes be turned against us.
Despite the growing awareness and investments in cyber security, the problem seems to be getting worse. The cybercrime industry is now a six trillion-dollar industry, while the cyber security industry is worth only 200 billion dollars. It is clear that simply throwing money at the problem is not a viable solution. This has become an asymmetrical war, where the attackers have the advantage.
In order to address these challenges, we need to change our mindset. As a former FBI Special Agent, I understand the importance of mindset in approaching investigations. When it comes to cyber security, our reliance on technology as a fix is preventing us from fully utilizing the human factor. Technology alone cannot solve our security problems. We need to recognize the human factor as both a vulnerability and a solution.
Employees within organizations often have high levels of trust and access, making them potential targets for cyber attacks. Malicious actions or non-malicious mistakes made by employees can lead to significant security breaches. Our increased connectedness through multiple devices and programs has provided more outlets for leaking information and more people with access to critical data.
The human factor is undeniably the weakest link in the security of any IT infrastructure. Threats such as Ransomware and Business Email Compromise rely on exploiting the human mindset. Ignoring the risks associated with people is a dangerous oversight. It is important to remember that behind every cyber threat is another human being capable of manipulative behavior. While policies and technology can impede malicious actions, risks cannot be completely eliminated because people are inherently unpredictable.
Acknowledging the risk of the human factor means involving every technology user within an organization in the cyber security conversation. It should not be solely the responsibility of the IT department. Keeping risk management siloed is counterproductive, as hackers are unlikely to target the cyber security-savvy individuals. Instead, organizations should form multi-disciplinary teams that include IT, HR, and comms to discuss potential risks and communicate and educate the wider business.
Building a culture of cyber security and risk awareness within organizations is essential. It should be recognized as a key business priority and employees should be encouraged to report security incidents or potential threats. A sense of ownership and accountability for the security of the organization’s data and assets should be promoted.
By adopting a risk-based mindset and developing relevant skills with sophisticated tools, organizations can become more resilient in the face of cyber threats. Resilience is the antidote to the growing cybercrime economy. It requires a shift away from threats and vulnerabilities towards meaningful conversations about risk. This involves asking the right questions and preparing for worst-case scenarios.
In conclusion, the evolution of cyber security has made us more vulnerable to threats. While technology is important, we shouldn’t forget the human factor. By recognizing the risks associated with people and involving all stakeholders in the cyber security conversation, organizations can build a culture of resilience. This shift in mindset, combined with the commitment to developing relevant skills, will ultimately lead to a stronger defense against cyber threats.