Opinion: Shifting our cyber security mindset – from victim to proactive defender
Grant Barnes, Threat and Vulnerability Manager at Cantium Business Solutions, explains how a shift in mindset from feeling like a victim of cyber attacks to a proactive defender of our digital assets can help raise our educational awareness of cyber security threats.
It is understandable that public sector organisations and teams can feel vulnerable even before an issue has occurred. The public sector manages vital infrastructure, making it a high-value target for cyber criminals. A cyber-security breach can have far-reaching consequences, including compromised national security, disrupted public services, financial losses and a decline in citizen trust.
Photo by rishi
How can we shift the mindset from victim to proactive defender? From my experience, it’s through acknowledgement and understanding. It’s okay as an individual and even as an organisation to be confused about cyber security. We see endless headlines about data breaches and hackers, and we hear changing and conflicting advice about what we should and shouldn’t be doing, all while technology and cyber risks are evolving.
To navigate this, it is important to lean on your security team, whether that be internal or third party, who can explain your organisation’s exposure clearly. This is where you need not be afraid to say that you do not understand. Your professionals can explain in a way that works for you as an individual. They can compare the situation to common themes or other areas of the business, and take into consideration not just the impact but the probability.
Common misconceptions about hackers
Common misconceptions widely reported and shared online have contributed to the confusion around cyber. The biggest one in my experience is that a cyber attack is usually initiated by a hooded individual in a dark room, furiously tapping away at his keyboard and performing incredibly complex software coding. In reality, what tends to occur is that sensitive details are listed on the dark web for sale. Someone takes the opportunity to purchase these details and then tries their luck to see if anyone is using the same password for multiple services. No real hacking is involved in gaining a foothold or entry point to your infrastructure, it is just a manipulation of human psychology.
The main challenges that teams face when it comes to admitting their defences fell short is the financial implications. Customer perception of the business may change and could result in a reduction in revenue. There could be fines from the Information Commissioner’s Office (ICO). There could also be further investments required to react to and bolster cyber defences.
Cyber security teams are responsible for our source of truth
Education and awareness can contribute to reducing the stigma associated with cyber crime and breaches. Cyber security teams as a whole are responsible for not only the defence of the organisation but also the source of truth. It is our responsibility as a team to escalate the correct risks for acknowledgement and decision-making but also to assure organisations that the day-to-day operations can react, too.
For example, a CEO reading about a Check Point 0-day attack knowing the business uses Check Point products should be aware that his team receives a weekly executive security report, that there are processes and procedures in place to react to 0-days and he can therefore be confident in reviewing the executive security report to address any concerns and understand if further information on the risk is needed or not.
In the UK, we are lucky to have the National Cyber Security Centre (NCSC), a public facing entity of GCHQ, the UK’s intelligence, security, and cyber agency, who actively work with organisations to bring awareness to this issue and to help businesses react and navigate incident response as well as best practices.
As well as this fantastic resource, there are proactive steps individuals and organisations can take to reduce their vulnerability to cyber attacks before they occur. This comes back to acknowledgement and education. We need to move away from cyber security being a complex and hard-to-navigate area. Here is what we need to focus on to improve our awareness:
- Education on phishing and what all your corporate login pages look like
- Protections on email systems and changing email habits; education on why we should pause before sending and run through a security check list
- And very importantly, investment in your cyber defence tooling, understanding your exposure and the steps as an organisation you need to make to protect citizen or customer data
Our learning must evolve to keep up with changing threats
There are potential long-term consequences for departments that delay investing in cyber security until after experiencing a breach, particularly in terms of reputational damage.
For public services, one of the worst-case scenarios is lack of trust. You’ll see your relationships with your end users quickly disappear and your organisation will soon be viewed in a negative light.
And this is just the worst-case scenario for the service itself. If you are an executive responsible for the posture of the service, or you are an employee working for this organisation, you are then met with negative bias in interviews or other developmental opportunities.
While cyber threats continue to evolve, we are also constantly learning about new ways to protect our digital assets. The only way we are going to combat future attacks is through education and awareness, and that support will come from your professional security team.
In related news:
Opinion: Supporting success in the TEF with engagement analytics
Opinion: Do we need to change the narrative to reap AI benefits?
Leave a Reply