Issue Twenty Seven
July 2023
Businesses today are faced with a pressing imperative: to integrate ethical digital practices deeply into their organizational fabric. The synergy between digital responsibility, cybersecurity strategy, and threat understanding isn't just beneficial—it's critical. These are not merely boxes to be checked; they’re priorities that garner trust and loyalty from consumers, employees, and investors alike. Achieving this trust, however, is a challenging task, given the continuously evolving landscape.
While we lean heavily on innovative technology, the importance of human behavior, steeped in its emotional responses and cognitive biases, remains undeniably paramount. Acknowledging the human factor as the primary defense is not only strategic but necessary. In the understanding of human bias lies the power to transform our vulnerabilities into strengths.
Statistical evidence of this reality is brought to life by the annual Verizon Data Breach Investigations Report: cyber adversaries are evolving, relentlessly exploiting our digital dependencies. This is a call for vigilant adherence to fundamental cybersecurity measures, reinforced by shared responsibility.
In this issue of Target Lock - digital responsibility, human-centered cybersecurity, and evolving threats highlight the current cyber conversation. Enjoy.
ZEROING IN
Infusing Digital Responsibility into Your Organization
Responsible digital practices have become increasingly important for businesses in today's world. Companies that prioritize and demonstrate their commitment to responsible digital practices have a distinct advantage in the marketplace. In fact, according to a recent study, 58% of consumers, 60% of employees, and 64% of investors make decisions based on their beliefs and values.
To infuse digital responsibility into your organization, there are four best practices to consider. The first is to anchor digital responsibility within your organizational values. It's important to ensure that your objectives are in line with your mission statement or CSR commitments. For example, if sustainability is a core value, then your digital responsibility objectives should align with that.
Secondly, it's essential to extend digital responsibility beyond compliance. While regulations on data privacy, IP rights, and AI cannot be ignored, companies should establish a clear link between digital responsibility and value creation. This can be achieved through a forward-looking risk-management mindset, especially in areas lacking technical implementation standards or where the law is not yet enforced.
Third, for small businesses, it's crucial to set up clear governance to minimize tensions between competing interests. While there's an ongoing debate on whether to create a distinct team for digital responsibility or to weave responsibility throughout the organization, it's important to establish a clear governance structure that works for your business. For instance, smaller businesses may not have the resources to set up a dedicated team for digital responsibility like larger corporations. In this case, weaving responsibility throughout the organization can be a more practical approach. This can be achieved by assigning digital responsibility tasks to existing staff and ensuring they understand their roles and responsibilities. Clear communication channels and periodic reviews can help minimize tensions and ensure everyone is on the same page. By establishing clear governance and ensuring everyone understands their roles, smaller businesses can infuse digital responsibility into their operations, promoting better practices and demonstrating their commitment to responsible digital practices. A clear differentiator.
Lastly, ensuring employees understand digital responsibility is crucial. Today's employees need to appreciate the opportunities and risks of working with different types of technology and data, and they must also be able to raise the right questions and have constructive discussions with colleagues. Upskilling the workforce and creating a self-directed learning culture can help achieve this. This aligns directly with a focus and ongoing measurement of overall digital literacy within the organization.
By taking a proactive approach to digital responsibility, businesses can improve their digital performance and enhance their organizational objectives. However, it's important to balance stakeholder interests and comply with relevant regulations on data privacy, IP rights, and AI. While it can be challenging to balance competing interests, companies that promote responsible digital practices will enjoy higher levels of stakeholder trust and loyalty, and will be able to achieve increased revenue, recruit staff more easily, and extend higher levels of digital trust with partners.
SQ Insight: Kenneth Holley - Chairman
Placing People & Realism at the Center of Your Cybersecurity Strategy
The most significant cybersecurity threat we face today is the exploitation of human emotions and cognitive biases, making human behavior the real cyber battleground. Research indicates that up to 95% of cyber incidents result from human error, with breaches often originating from oversights such as system misconfigurations and deceptive social engineering campaigns. Simply put, people must become the cornerstone of our cybersecurity strategies.
It is critical for us to understand and recognize human bias as an attack surface to prevent threat actors from manipulating it to their advantage. A cognitive bias is a systematic pattern of deviation from norm or rationality in judgment. Individuals create their own "subjective reality" from their perception of the input. An individual's construction of reality, not the objective input, may dictate their behavior in the world. Thus, cognitive biases may sometimes lead to perceptual distortion, inaccurate judgment, illogical interpretation, and irrationality.
By simulating real-world scenarios, not merely ideal ones, we can anticipate and mitigate these biases effectively. Methods such as ideation, immersion, and gamification, exercised through tabletop exercises, serve as potent tools to uncover and address these biases, especially under pressure. This proactive approach empowers us to convert a potential weakness into a strength, flipping the attacker's script on human nature.
Cybersecurity impacts every facet of our organizations, and our preparation must reflect this reality. A successful incident response plan unifies technical, business, and risk-oriented frameworks. A comprehensive response, underscored by a shared cybersecurity and risk language, prepares everyone - from board members to the newest staff members. Instituting shared language and clearly defining roles ensures fluency in cyber defense across the organization.
Furthermore, cybersecurity must transcend being merely a departmental concern; it should be woven into the very fabric of an organization. By instilling a sense of shared responsibility, we can significantly mitigate cyber risks. A strong culture of cybersecurity should even pervade our homes, extending the sense of responsibility beyond the workplace, fostering universal cyber readiness.
As we brace for a new generation of cyber threats, cybersecurity is undeniably human. While technology resources are vital, acknowledging the human factor as our best defense is a winning strategy. Emphasizing comprehensible, easy-to-follow policies that explain the 'why' can mitigate resistance to change and promote seamless adherence. In this battle against an unseen adversary, it is our collective responsibility to protect our organizations.
SQ Insight: Adam Brewer - CEO
Making Sense of the 2023 Verizon DBIR for SMBs
Those of us who work in cybersecurity eagerly await the Verizon Data Breach Investigations Report (DBIR) each year. We crash servers downloading a copy, then scour its insights and colorful charts. The June release of the 2023 DBIR did not disappoint.
First, note the volume of source data. The 2023 report examined 953,894 incidents between November 1, 2021, and October 31, 2022, of which 254,968 were confirmed breaches. Suffice it to say the numbers are daunting and on track to exceed 1 million incidents next year (which we know from Dr. Evil is a lot).
Second, no surprise that cybercriminals continue to exploit social engineering techniques, proving them effective and lucrative. Business Email Compromise (BEC) accounts for over 50% of social engineering incidents, nearly double the prior year. The increase appears due to a rise in pretexting, a type of social engineering where scammers use personal information to trick you into thinking that someone you know is in imminent danger or need of money. Pretexting differs from the run-of-the-mill phishing attempt to click on a malicious link or request to update your bank account login. The effectiveness of pretexting lies in the targeted and specific nature and the emotional impact created by the urgency. Pretexting is likely to grow in popularity alongside artificial intelligence (AI). Imagine using AI to spoof a loved one’s voice, making the extortion attempt more compelling.
Third, the human element accounts for three-quarters of all breaches, including errors, misuse of privileges, use of stolen credentials, or social engineering. A misdelivered email remains the pack leader when it comes to mistakes.
Spoiler alert. There is a relatively easy method to reduce or prevent errors and social engineering attacks. Hit. The. Pause. Button. Yes, everyone is busy and looking at email on a tiny device. Yet, the stop-and-think method remains one of the best techniques to avoid falling prey to cyber-attacks. But I digress.
Fourth, the vast majority of breaches (83%) are caused by external actors (criminal groups, lone hackers, former employees, government actors, Mother Nature) who are primarily motivated by money (although doubtful for Mother Nature). Nearly one in five breaches are at the hands of internal actors such as employees, contractors, and interns. While some are deliberate, they are twice as likely errors.
Finally, attackers use three primary methods to advance their schemes: stolen credentials, phishing, and exploiting vulnerabilities. The fixes can be as simple as requiring multifactor authentication, not reusing passwords (especially across social media and work), hitting the pause button, and updating systems, applications, and devices with the latest and greatest security patches.
The DBIR has some revealing industry-specific data. For professional services and information sectors, system Intrusion, basic web application attacks, and social engineering account for most attacks.
The DBIR reminds us that threat actors are not letting up anytime soon and that cybersecurity basics can be effective. Make cybersecurity a priority, develop and nurture a security culture, educate users (and give permission to slow down and hit pause), use multifactor authentication, and keep systems and applications updated. Above all, be ever vigilant – we know the threat actors sure are.
SQ Insight: Tony Ogden – President, GRC
