The internet is not 100 percent safe, but that doesn’t mean you shouldn’t be using it to support you to take your business forward. And rather than worrying about all those things that you don’t understand I think you should think of the internet in the same way you think about driving.
Think about it, is driving safe? Of course not. There you are hurtling down the open road at 100 kph with another vehicle coming straight towards you at the same speed. The only thing between you and the oncoming car is a thin painted line. We know that if that thin painted line doesn’t do it’s job and the two cars collide the result is a big mess. Bodies aren’t designed to absorb that kind of pressure.
The result is that over 300 people die from driving every year and thousands more are injured. Worldwide Wikipedia quotes World Health Organisation statistics of 1.25 million people dying on the world’s roads every year.
Yet we still drive. With these kinds of statistics why would you risk your life by driving? In the end there are two main reasons for most people. Firstly, the benefits of driving are huge. Modern driving means that you can easily travel 100 km an hour. The non driving equivalent of this is 5 km if you walk, 30 km if you’re really fit and can bike. If you go really old school and ride a horse then on average you will cover 50 or 60 km in a day. The second is that we know if we take sensible precautions we can substantially decrease the risk of dying. When it comes to driving these sensible precautions are fairly well known. For example:
- Ensure your car is in good working order and ideally modern so it includes all the latest safety features
- Don’t drive while you are under the influence of alcohol or other drugs
- Don’t drive too fast, or perhaps more accurately drive appropriately for the conditions
- Ensure you are alert and do not drive when overly tired
- Adhere to the comprehensive set of rules that all drivers are expected to follow when driving (that’s why the thin painted line works).
On top of this we have a very comprehensive system in place to teach people to drive safely and a series of sanctions for people who are caught breaking the rules, including taking their driving privileges away from them.
Despite all this we know that an accident can happen any time. The risk is always there, but we still do it. I believe that this is the stance that organisations need to take around digital risk. We know it exists and we know that there is always a risk but if we put in place sensible precautions then we can substantially reduce the risk of operating in the digital world and set ourselves up to succeed. The only question is what are the digital equivalent sensible precautions that you need to implement to reduce your digital risk and have you implemented them?
|Sensible Digital Precaution||Rationale|
Ensure all your systems are up to date with the latest patches and major releases
Often organisations look at the cost of system upgrades as being a waste of money. This position is understandable because most upgrades don’t deliver significant new benefits so it looks like you are being forced to spend for no real return. The reality is that these upgrades usually contain significant improvements in security as vendors seek to close security vulnerabilities and also address new emerging threats. If you don’t do them you leave yourself open to be exploited.
|Build “security in depth”|
Modern cars don’t rely on one safety feature. Modern cars have multiple safety features from seat belts, to crumple zones to air bags. It’s the same in modern system security. You need to deploy multiple ways to detect and deal with potential security breaches. We call this security in depth.
Build digital competency
For most organisations the greatest security weakness is your staff. They simply don’t know how to keep themselves and their organisation safe in the digital world and organisations don’t systematically invest in upskilling their team in required skills. We don’t let people drive if they haven’t demonstrated their knowledge of the road rules or their basic competence in the practical skills in driving. We should take the same approach to digital competency.
|Know how you are going to recover|
As with driving, even if you do all of the above accidents still happen. You need to be prepared for when you do have a serious security breach because it will likely still happen. You prepare by understanding how you are going to recover from this breach and get your business back online. You do this through effective IT disaster recovery planning and regularly testing your recovery plans through a variety of scenarios.
Actively consider and understand your tolerance for cyber security and risk
Like all things in life reducing your cyber risk costs money. Also, the more secure you want to be the harder it is to innovate. Because innovation introduces the new and previously untried. By its very nature it is likely to expose a business to new and unanticipated risks. You need to invest enough time and gain enough understanding to be able to define what your particular appetite for cyber risk is and what the right set of controls and mitigations is you need to put in place to effectively manage your risk profile. It is no longer good enough to do the ostrich and bury your head in the sand and hope it goes away.
Do these things and you have set yourself up to be able to enjoy the benefits of digital in comparative safety and comfort.