Cyber Risk: we told you so (and the pandemic too - almost)

Organizations are still failing to appreciate and address risk. The cyber threat is very real and continues to increase, but litigation is now a bigger concern than regulation.

If you’re not risk-aware and crisis-prepared then you could be in real trouble a great deal sooner than you think.

I did a thought leadership video for Huawei back in February 2020, based on a script that I had written in early January - long before I or many others were aware of the impending pandemic. It addressed our societal inability to appreciate and address risk. While it did not mention COVID-19 or the health risk that ensued, many of the points that it made were directly applicable.

SEE THE VIDEO HERE: https://twitter.com/i/status/1233702065010069504

The video was very well received. I posted a copy on leap day (29th February 2020) and in its first week, it had about a million views. It’s main focus was on the fact that cyber risk was overtaking financial risk as the greatest threat that we all face. In it, I asked if we had all learned the lessons of the financial crisis or whether we were due to make the same mistakes again.

As it happens, almost immediately the whole world did make these same mistakes, failing to appreciate and address heath risk and allowing a pandemic to get out of hand. If I had been talking about health risk instead of cyber risk then conspiracy theorists everywhere today would be accusing me of knowing about COVID-19 in advance and possibly even being behind it.

While we have now all lived through a twelve-month case study in health risk and how not to deal with it, most organizations remain blind to the looming cyber risk.

A year after the video shoot, I wanted to take the opportunity, yet again, to tell organisations to wake up to the cyber risk. The recent SolarWinds incident has shown that nobody is safe from hackers - not even the US military, the White House or the NSA. As I recently discussed with Dez Blanchfield (referring to this article for AccountingWEB), the challenges here are considerable, but action needs to be taken urgently (I also refer to these 15 tips in this article for Commvault).

If organisations had a better appreciation of risk, and understood the value data as both an asset (while being exploited) and as a liability (once there is a data breach) then they’d be doing a great deal more to ensure that they are crisis prepared (as I explain in this article for AccountingWEB).

You wouldn’t wait until you’d hit an iceberg and were starting to sink before thinking of fitting life rafts. You need to act today and make sure that your organization is prepared with today with its own life RAFT - Risk Awareness, Flexibility, and Trust (see my article here for Commvault).

Even organizations with a cybersecurity strategy and ISO 27001 certification have had breaches and have faced class-action lawsuits - it’s not just companies like Facebook that are being targeted with mass privacy claims. Regulators will require evidence that risks had been properly evaluated and that reasonable processes and defenses were not only in place but that they had also been tested.

As you consider your risk appetite think about how you might defend your decisions and actions in court, because one day you may need to do so. And legal action isn’t only being taken against organizations, decision-makers, and board members are being held individually liable too.

A year later, it is time to rewatch the original video and to pay better attention to its warnings. We are all now a year older, but are we any wiser?

See the full article here: https://billmew.substack.com/p/cyber-risk-we-told-you-so-and-the