top of page
Search

Be Afraid, Be Very Afraid

I have just spent the last couple of days with cyber security experts and colleagues at the @OSP Academy's Cyber Symposium.

    

We all agreed vehemently with each other about what needs to be done, what can be done and how scary are the threats out there.


However, we are preaching to the choir!


The overwhelming task that we face, still, is to “educate”, persuade, cajole boards of directors into believing that we and our organisations, however large or small, are all targets for cyber threats. The fact we all agreed upon: “ it is when not if” with regard to the occurrence of a cyber attack, data breach, whatever we call it, in all organisations.


Governance, risk and compliance (GRC) should not be a nice to have. Regulation is there for a reason - to protect us all. So why are so many organisations ignoring GDPR / UK Data Protection Act ? Will they do the same when the CRA (Cyber Resilience Act) comes into play- and the AI Act? Academay


Most companies have invested in building the company reputation, developing products and services, building trust with customers. The investment is not small -it does not matter how many pounds / dollars / hours / emotions, it is significant.


But we all risk throwing that away in a heartbeat…


Those of us in the cyber security world, despite all our knowledge, can be fooled too and are fallible (as was demonstrated  by the exercises we undertook with OSP this week) , and we don’t have all the answers. However, we have seen the results and the outcome from many incidents.  


We have experience of managing data breaches and cyber incidents for clients across all sectors, public, private and not for profit, seeing the stress, distress and damage they can cause.  And this is why we are so passionate about trying to get the attention of senior managers / business owners to ask them to consider the cost benefit of a bit of planning and preparation.  


As most grandmothers would say, “a stitch in time saves 9”.  In this case, that assumes that a cyber attack, once realised, will cost only 9 times the cost of preparation / mitigation / planning / testing/ training. If only…


One train of thought is that, even if you have a plan, and rehearse the incident response plan over and over, you can be sure that the actual real attack won’t be the same. That is undoubtedly true and on the face of it,  your plan may seem irrelevant.


BUT, having rehearsed, your team will be a team, act like a team and be able to work together, communicate to each other and understand their roles. They will be more motivated as they can see how easily things they have worked on can be destroyed.


This is critical when you are under time pressure to save your business.  And it may well come down to this: save your business, save your reputation – all those things you have invested in over time.

To paraphrase some of the analogies used this week:

We all put our seatbelts on when we get in a car.

We all lock our doors and windows when we go away from our houses.

We all assume the aircraft we get into are safe to fly and the pilot qualified.

Surely we owe it to our customers, consumers, employees and suppliers, and the wider community,  to protect their data, build defences and be prepared for any eventuality.


Most of us in the cyber  security industry agree that we should not market our services using fear as the tactic, however it is hard. I don’t want to use the famous line and tagline from the 1986 body horror film The Fly, directed by David Cronenberg, "Be afraid. Be very afraid" but it is hard not to!


As the Girl Guides and Scout Brigade taught us: be prepared!



ree

 
 
 

Comments

bottom of page