Every business is exposed to risk.
Cyber Security risk can seem scary because it has the potential to tear apart your business.
It doesn’t take much imagination to consider how stories of companies being taken down by someone innocently clicking on an email could affect your company.
The 2022 Verizon DBIR reports that 82% of all incidents had a ‘human’ element, meaning that we are the single largest target for cyber criminals.
The statistics aggregator Statistia estimates the 2022 losses to cyber crime at $8.44 Trillion and expects to see that rise to $23.84 Trillion by 2027.
So what’s the solution?
Central to any business is the human element. We are both the creative advantage that spurs innovation and the weakness on which criminals act.
When evaluating risks to your business, how cybersecurity services consider a human-centric design is imperative.
Let me share two quick stories.
Barbara Corcoran admitted in 2020 to loosing $388k to a single fraudulent email that purported to instruct her staff to pay an invoice. The incident involved a cyber criminal who sent an email with a misspelled address from an administrative assistant to a bookkeeper. By inserting something as simple as an email into a human-centric workflow that wasn’t hardened to attack, the risk to the organization was immediate.
The second story is one that we all share. Over the last few years of COVID-19, we have all had to adapt our professional lives, not only of where we work, but where our peers and customers work as well. It seems gone are the days where we could conveniently join in a conference room or where visiting with a customer at their office was the norm. When everyone went home to work, they took the company with them. The procedures we relied on to make much of the business world had to adapt quickly to a new paradigm. Cyber criminals were quick to adapt as well. They are very much aware that our human-centric processes are all in a state of adaption and that this allows them to assert themselves in new and unique ways.
Like the Corcoran story, cyber criminals are adept at looking for our soft spots. To turn this risk into an advantage, we must adapt as well.
Human-centric design for cyber security means looking more holistically at how humans make our businesses work, what the processes are that they need to support, and how to make them more resilient. With this knowledge, we can identify weaknesses and begin to provide mitigations.
In our workshop, we like to bring in stakeholders from around the organization to discuss the business process. More over, we like to discover and discuss the hidden processes of the organization that may represent risk. By first understanding how the organization functions we can then begin to focus on both optimization and resiliency.
A typical place to start in this process is third party risk management. As in the pandemic, we all understand how affected we can be by supply chain. Understanding how risk from this plays into our environment can go a long way toward pricing and mitigating that risk. Having a more complete view of the business processes that are supported by our vendors is just one example, and one that Ms. Corcoran learned very quickly.
Turning risk into an advantage means that if we pivot from being defined about our risk losses to using our mitigations to create a stable platform. This capability can be a competitive advantage by allowing us to take on a more adaptive and risk sensitive posture. We can absorb more change if we first know how it will affect us.
As an example of this, go back to 2019. While it may have been inconceivable that in a matter of a few days we would all abandon our offices and work from home for the next few years, some organizations were more able to pivot and some were not. Organizations with the ability to create a decentralized infrastructure were able to adapt to the new work style. From an IT perspective, this means moving the service edge closer to the user and customer, wherever they may be. From a Cyber Security perspective, this means adapting to a ‘Starbucks’ model where everyone is suddenly working from home, connecting to foreign networks as the standard and plugging any array of new devices into their corporate laptop.
Is it any wonder that ransomware cyber criminal activity is on the rise? The ability to adapt is a clear advantage and the speed of these changes appears to be accelerating.
How will you adapt and turn that risk into a business advantage?