Five Behaviours to Drive Effective Cyber Risk Reduction

It`s early January 2024, and there should be no doubt in any business owner or managers mind that cyber and data privacy risk is now a core "fixed cost" of doing business.

I am fully confident that everyone reading this article should expect their organisation to experience either a direct cyber attack, or the impact of an attack on a trusted supplier, in the coming calendar year.

A case of when, not if.

This means that the days of it being acceptable to either not be aware of the cyber threat we all face, or excusing ourselves on the basis of cyber security being an "IT problem", or thinking that (as a CEO, MD or Director) it is someone else`s responsibility, are long gone.

This is ground zero: no excuses, no justification for ignorance. Roll up those sleeves, accept its a responsibility to be faced and managed - and let`s do better in 2024.

On that basis I am focusing this article on mindsets and behaviours, rather than the traditional boxes that need to be ticked.

Let`s focus on the stuff you can control today - putting in place a strong foundation for immediate risk reduction across your organisation.

These behaviours and thinking can be applied without delay, and to help I`ve tried to add some essential context to guide you on the first steps of your journey.

So here goes, my 5 keys to cyber security (and data privacy) success in 2024.

• Proportionality
• Proactiveness
• Teamwork
• Context & Balance
• Self Awareness

It is far too easy, when trying to manage a subject, issue or challenge that we may not be familiar with, to over or under invest in solutions.

The American writer Christian Nestell Bovee once said that "We fear things in proportion to our ignorance of them", and this is true of cyber security and data privacy.

At Moore ClearComm we always ensure that the services we provide (or recommend) are in proportion to the risk our client faces and the realistic costs and impacts that a cyber attack or data breach might have on their organisation.

For example, while a full and in-depth external penetration test on Organisation "A" might be appropriate for their level of risk and impact, it may not be suitable or required for Organisation "B", for a variety of reasons. Paying for a test such as that may not provide any tangible benefit for "B", whereas for "A" it could be the difference between security and major business disaster.

On that basis, it is essential (before speaking to a cyber security provider such as ourselves) to sit down with your key managers and stakeholders, and consider (without bias or prejudice) the true and likely implications of an attack (direct, or indirect on a supplier) or data breach. Make sure you factor in the nature of the data you process and what problems that might cause should it end up in the wrong hands, as well as forecasting the damage to your reputation - all the while working on the assumption that an attack or breach will happen today.

Do NOT fall into the trap of making emotive or gut-feel judgements on your cyber risk likelihood, because I guarantee you will get it wrong - and from that point onwards poor decisions will follow, every step of the way.

If you`re not sure how to consider your proportionate risk - just drop me a message and we can talk it through!

The one absolute, cast iron certainty when it comes to cyber security is that (much like fitting a smoke alarm AFTER your house burns down) you can`t afford to wait for the worst to happen, as a means of assessing your level of risk.

By then its far too late, you won`t have control over the chain of events that will inevitably follow, the damage will perpetuate and grow, your inner strength will be tested like never before, your team will look to YOU to save their jobs - and you will feel a slow, dawning realisation that it really didn't need to happen that way at all!

So, be proactive.

Start today; I guarantee there is nothing sitting on your desk after Christmas that is more important than putting cyber security measures in place and properly acknowledging your risk.

This is a behaviour you can implement today, and the best possible quote to have in your mind right now is this one, by John C. Maxwell:

"If you're proactive, you focus on preparing. If you're reactive, you end up focusing on repairing."

What are you waiting for?

If there is one absolute truth in life, work and all contexts of the world we try to navigate - it is that we can (and do) do better when working with and supporting others.

While this is an indisputable truth, the fact remains that very few organisations succeed in building a culture and environment designed to nurture strong and effective teamwork.

Yes, it really can make the dream work - but sadly in most cases its more of a nightmare than a happy dream.

The most important element of teamwork and successful group environments is a shared and clear objective. It is impossible for "us" to reach a positive outcome if we don`t all know or understand what we are supposed to be working towards or the goals "we" need to achieve?

Right?

It sounds obvious, but it`s often overlooked and lost in the rush to get busy.

Often there is one significant barrier to true team cohesion and success.

Ego.

Harry S. Truman once said that "It is amazing what you can accomplish if you do not care who gets the credit.". I think this is an incredibly powerful message in relation to true team working, and the acknowledgement of how important it is to build a collective effort.

In relation to cyber security - this is a fundamental issue. Cyber security (and data protection) cannot be "done" by one person, or even a small team working in isolation.

To truly move forwards with a proactive plan, we have to embrace and involve every single person in the organisation. Winning and losing as one, learning from every bump in the road and making changes and iterations as we go - to ensure that everyone understands they are a key part of a collective effort.

This might all sound a little too deep and emotive, surely we`re supposed to be talking about cyber security?

Well, cyber security is very much a human subject, which means if you can build an effective "human firewall" you might just see some significant improvements in relation to cyber risk (book a place on our January webinar here: Webinar invitation - Human Firewall: Your people and their role – Moore Kingston Smith (mooreks.co.uk)

By applying some of the suggestions we will share in our webinar, you can drive really positive team engagement across your organisation, which will in turn benefit you in so many other areas of your operation.

I promise the webinar will open your eyes and you`ll have plenty of ideas to take away!

A subject that always makes me passionate and animated, is that of context and balance.

I have always been firmly of the view that if we lose our perspective or context, it is impossible to make rational, balanced decisions - either in a workplace setting or in our life environments.

Perspective in particular is so powerful, because it represents our "truth" in terms of how we see and navigate the world. Therefore it is incredibly important to ensure our "view" of cyber security and how it relates to our organisation, is accurate - and that we are objective in our thinking.

In terms of balance, at Moore ClearComm we know that cyber security or data privacy are just one of a large number of risks and challenges you face, day to day. We understand that it is vital that we view your risks in the context of your bigger picture, and help you to make balanced decisions that are not independent of all the other business issues you are faced with.

Cyber security is a major business issue in 2024. It has been for many years, and the threat has (and will continue to) grown exponentially each year.

However, its not the only subject you`re concerned with, and much like when we talk about Proportionality - its essential to strike the right balance, see the true context of your risks and threats, and to put everything into perspective.

Oh and one more thing, always be wary of confirmation bias.

If your mindset is fixed on looking for some evidence to prove that you have no cyber threat to manage - I guarantee you WILL find that evidence, giving you the perceived justification to do nothing.

Unfortunately, that`s likely to lead to "game over" and a very painful outcome.

Kenneth Noland says it perfectly: “For me context is the key – from that comes the understanding of everything.”

The great Billie-Jean King once said that self-awareness is probably the most important thing towards being a champion.

The simple fact is, it`s not possible to truly move forwards in the right direction if you don`t know:

a) Where you are now

b) How you got there

c) Why you are on this journey, and

d) Where you want to end up

While self awareness, by definition, represents the conscious knowledge of our own character and feelings, the truth is that many of us meander through life with very little awareness of what we’re doing, or why we’re doing it.

If you`ve joined any of our webinars focused on the human psychology of cyber security, you`ll already know that this is not always a bad thing. We rely on our heuristic (sub-conscious) thinking to navigate the repetitive and mundane tasks and challenges of life.

The problem comes when we need to apply critical thinking, which is essential for objective problem solving - and especially cyber security best practice.

To achieve this - we absolutely need to leave our egos at the door, know our strengths and weaknesses, and consider whether we need a third-party expert to take on some of the fundamental business challenges every organisation will face in 2024.

As a leader you cannot be, and are not (check that ego!) the best or most effective individual in every aspect of your organisation.

If you are (or think you are) then sadly you already have some fundamental problems that go way beyond the subject of cyber security, and you need to work on that in other ways.

Cyber security is however one of those areas where it is often unlikely you would have sufficient skills, knowledge or expertise in-house, leading to the balanced consideration of whether to bring in a managed service from an organisation such as ours.

These are some helpful ways to focus on and build your self awareness:

• Seek feedback from others (peers, employees and suppliers), and listen to their response. How well are you doing NOW, in respect of cyber security and data privacy?
• Gauge the feeling in your organisation in respect of cyber security. How does your team feel about it, do they feel the need for outside help?
• Identify your values - how important is your reputation, core values, and doing the right thing?
• Reflect on your personal and business perspectives; do you hold views or opinions on cyber security that are based on evidence and facts, or emotions and hearsay?
• Know your limits; what can you do well now, what do you struggle with, would an expert third-party significantly help to reduce your risk, and (finally)
• What is good cyber security "worth" to you? Put a ￡-sign next to what you believe it would cost you, your business and your employees - then double it

None of this is easy to deploy.

In the article above I`ve touched on some fairly deep issues and subjects that would not obviously relate to cyber security or data privacy risk.

That said, everything in life comes back to humanity and how we interact with the world and people around us.

On that basis, I leave you with 3 tips:

1. Don`t try to reach cyber security utopia by the end of January. You will inevitably fail, feel disappointed and will likely be worse off on January 31st than you were yesterday. Instead, take steady steps in the right direction, grow your security posture gradually and incrementally, and ensure that with each step the % of your team "on board" and engaged, is increasing. If you struggle, please reach out to me
2. Listen to your people; your employees often know more about what`s really going on in your business than you might. So, talk to them. Hear them out. Have a chat about cyber security and data privacy, ask them how it makes them feel. Scared, worried, concerned or (hopefully not) disinterested or indifferent? From these conversations I promise you will have a much better idea of what to do next
3. Finally, you are not alone. Every business and its supply chain will experience the negative implications of cyber crime, and most will assume their suppliers and THEIR suppliers have it all in hand. They won`t. So, work together, share resources and best practice - and collaborate for a more secure 2024. And again, please don`t hesitate to reach out to me. A conversation costs nothing, but might just be the starting point you need

Until next time, I hope you have a very secure, successful 2024 - and don`t forget to join me on our "Human Firewall" webinar on Thursday 18th January from 10am!