It’s only been a decade that Cyber Technology became so available to everybody. But most large organizations have not taken it on as an opportunity to outperform competition and just do what they consider to be necessary. So they can’t attract the best digital talents, who became available starting from the Millennials, who don’t want to be managed, but are focused on purpose. Paired with disappointment over the New Business shooting star Models like Uber, Airbnb, Amazon, etc. off-loading classic enterprise responsibilities to the extent of denying alike toxic waste had been off-loaded at the expense of societies offering precarious employment only, these talents are easily enticed to develop software for stakeholders interested in other people’s data, whether for money or information that could be worth money.
Since most organizations lack thought leadership on these issues underground marketplaces for Hack Program Services blossomed in recent years, having brought down prices by 77%, employed by State actors 5%, actionists 18% and criminal groups 77%, industrializing the threats to digital society. Cyber criminals have become the new drug dealers, whether after customer data, intellectual property data or just black-mailing attempts, all representing important new business opportunities! Since digital society is a collective and information sharing culture the threatening powers outlearn the defenders by co-learning. They produce ransomware at App prices for black market users. Out of 10% reported cases only half were taken to court of which only one third was convicted – a mere 1.5%! Most cases fall under multi jurisdiction
At company board levels Cyber Security has to become top priority issue! Otherwise lawfully collected or information or true fully analyzed conclusions could become a matter of investigation, as aggrieved parties concerned may be outside the company itself. I’ve seen remedies by nominating someone existing in the organization as a Cyber Security Officer [CYSO] on the basis of a job enrichment – forget it! It is a full time job and if not for one organization only, than at least for several on a Specialist Contractor’s basis. Never forget that any Technology potentially available for defense only covers the challenges of yesterday! And there is a skills gap in the market. So if a specialist was available on a contractor’s basis, take it! It also helps from a co-learning perspective if several companies use the same expert, leading to shared learning.
However, Cyber Risk is not any different from Innovation Risks in general. It boils down to a mere “People – Technology – Process” issue of closing the loop! Yes, it is primarily a “Code of Conduct” matter, as most attacks succeed due to ignorance of an organization’s internal IT-system users. CIOs need to focus on identifying internal risk groups. Machines can widely be protected from manipulation as long as nobody from outside can slip into an identity of an internally authorized user. Quite easy if employees are allowed to bring their own devices [BYOD] without clear restrictions (and checks) to not use them for Social Media, Skype or other open services. Also free WiFi accesses in public spaces are major Cyber Security threat! Internal systems must target for monitoring what its users do outside with devices that are connected into the internal systems. Of course transparently communicated via a company code of conduct for IT-use. And increasingly use of artificial intelligence can help identify the risk profiles within an organization.
Cyber Security incidents cannot be prevented. But they must be detected through monitoring of the structured and randomly setup interfaces to the outside world. To prevent a wrong 1984 perception of all these measures on the side of employees concerned awareness campaigns are needed. Cyber Security issues are changing every day. But access into organizations are the people authorized to connect into the companies’ Technology, often not using it competently, particularly interpreting irregularities as incidents.