Governments continue to warn businesses that they aren’t doing enough to shore up their cyber security. In contrast, a range of surveys tell us that businesses feel otherwise. Perhaps this is because a crucial point is disappearing through the communications cracks: anyone can commit cyber crime.
BAE Systems Detica’s new survey ‘Curiously Confident’ is perhaps the most recent to expose the perceived disconnect between how vulnerable the UK Government says that organisations are, and how vulnerable those organisations actually feel. Based on interviews with 100 decision-makers in £350 million+ turnover UK companies, the survey revealed 89% of respondents were “very” or “fairly” confident that their companies could prevent targeted cyber attacks by outsiders.
This could be taken as an encouraging statistic if it weren’t for the general concern that cyber security is still not being taken seriously enough. For example, many organisations don’t deem themselves to be a high enough cyber target to warrant significant action. 61% of the Detica respondents said that only an attack on their company or a competitor would force their board to take cyber risk more seriously. Recalling a similar attitudes survey of smaller businesses by the National Cyber Security Alliance and VISA at the end of 2010, almost half of the respondents didn’t believe that the threat was worth the significant investment to secure their business.
There is a communications problem: the headlines and warning speeches only tend to focus on the sexiest threats that offer the sexiest stats. The activities of Anonymous make the news, as do attacks by foreign intelligence agencies and the eye-watering damages that major organisations such as Sony have sustained. Similarly, it’s very easy to associate the concept of a ‘national’ cyber security strategy with national problems such as organised cyber crime, cyber espionage and cyber warfare. In this context, many businesses can rightly consider themselves to be very low down on the list of targets.
I noticed a headline on ITweb recently that summed up what I think is missing from the whole argument: ‘Anyone can commit cyber crime’. If you Google ‘how to hack’, you get a sense of the vast library of know-how at the novice’s fingertips. If you Google ‘password cracker’, you can see the free tools you also have at your disposal. All you need is a computer, an Internet connection and you’re ready to go. If you run into difficulty, then why not buy the services of a hacker – they even have their own websites. And if you think that honest citizens know that cyber crime is wrong, then I recommend you also see the results of Googling ‘hacking is not crime’.
The truth is, cyber crime isn’t as hard as you may think it is, and the threats can come from anywhere. For example, it’s a youth culture worn with pride. Disgruntled employees and ex-employees turn on their employers, and use cyberspace to exact their revenge. And it doesn’t matter how big or small you are, an unscrupulous competitor can easily attack you. So with our online world reducing the six degrees of separation every day, can you still be sure that your business won’t become a target?
Naturally, my sphere of interest is employee cyber security awareness, and I’ll leave you with a couple of statistics from that 2010 report by NCSA and VISA. With lack of cyber security awareness the biggest cause of breaches in organisations, I remember finding it deeply troubling that 75% of survey respondents had given their employees less than three hours of network and mobile device security training over the preceding 12 months. Worse still was the fact that 47% had given their employees none.