How's that?
One moment of distraction, a loss of concentration for a few seconds, or a lack of understanding (and sometimes an unwillingness to acknowledge it) could lead to a chain of events that results in a cyber or other IT incident that impacts every aspect of an organisation and beyond.
Sound familiar? The catastrophic fall-out from the CrowdStrike update incident is a taste of what a massive and sustained cyber incident could have in our digitally connected world. Are your people really as aware and focused as you need them to be? Do you have the resilience to be able to ‘survive and thrive’?
When Take That covered the 1975 Tavares hit ‘It only takes a minute’, little did they know how prescient that short phrase was in cyber security. Instead of minutes though, it can be counted in seconds.
Examples abound of cyber incidents happening because someone in an organisation lost concentration for a moment and clicked on a link or opened an attachment that contained a ransomware payload. But it’s so much more than this.
I recently heard an archived interview on the radio with a cricketer (warning, sporting analogy, please bear with me). He had batted all day, from 11am until close at 6.30pm (obviously with lunch, tea and drinks breaks). This takes enormous sporting skill to achieve, as well as extensive physical and mental resilience. What caught my attention and therefore my imagination, was his answer to the question; “How did you manage to concentrate for 7 hours ‘in the middle’”?
His reply made me stop in my tracks.
He said he hadn’t concentrated for 7 hours at all, only a matter of minutes in total. When asked to clarify his answer, he explained that he only focused for a few seconds at a time. When the bowler was making the delivery (average 80-120mph) and when deciding whether to run or not. At other times he would force himself to relax. In other words, he had trained himself to be highly focused at key moments in the game.
And this got me thinking as the same is basically true in cyber security.
领英推荐
I think most of us in the industry would agree that we need to be vigilant 24/7, with threats against our networks from cyber-criminal gangs and other state-sponsored actors, whether from China, Russia, Iran or North Korea, a constant threat. The profound disruption on day to day operations from a ransomware attack, such as the Royal Mail, the University of Manchester and the British Library in 2023 are good examples.
So, if we need to have the mindset that we are under the potential of cyber-attack at any time, surely everyone’s role in an organisation is that much more important. And I mean everyone; from the board downwards.
If we take the cricketing analogy and overlay it onto daily decision-making in a business context, the need to concentrate for those key moments makes much more sense. Opening your inbox is preparing to receive the ball. You look at your emails with a high degree of concentration. Anything that looks different or out of the norm, you immediately pause. In other words, you are getting ready to play your shot and then deciding whether to run.
But this analogy can be just as relevant at board or senior leadership team level. The lack of wide-spread cyber knowledge at board level is well known. The barriers to decision-makers fully understanding the implications of investment choices are often obscured by complex technical language. An understanding about the need to invest in network redundancy as a core measure to enhance resilience is often lacking. There are key moments in board discussions which can change the trajectory of an organisation. The British Library’s revealing blog about the circumstances surrounding its 2023 breach should be on every senior leaders’ summer reading list.
In other words, there are key moments in everyone’s day, in relation to cyber and IT security, when it’s imperative to focus and concentrate. The implications of not doing so are significant. Knowing when these moments are in front of you is the key. And this is every day.
Delivering an organisation’s cyber resilience is a team sport, with many elements making up the whole. Putting in place robust assurance policies and procedures, overseen by third parties, blending the right technical capabilities, having a sensible mix of vendor solutions, appointing effective leadership and seeking advisors with cyber knowledge at board level, are all essential.
Improving an organisation’s human risk management, by changing behaviours and improving security culture, is therefore an enabler in this mission. Reducing the risk can only be achieved by instilling the right mindset across an organisation, whatever the individual’s role.
We all have a part to play. Even if its cyber resilience, not cricket.