Combating cyber crime requires a combination of approaches, and should a cyber attack actually hit an organisation, a culture of accountability could enhance a company wide caution and a followership of due diligence measures. Gregory Touhill analyses the dependency on employees following company legislation.
Nestled in William Craig’s book Enemy at the Gates, which recounts World War II’s epic Battle of Stalingrad, is the story about a Soviet division that was plagued by failure in the face of the enemy. Desertions were rising, officers’ orders were not being followed, and the invading enemy was making gains. Faced with this calamitous condition, the regimental commander called the troops into formation and let them know that collectively, they were failing and would be held responsible. Then, in an outrageously cold manner, he walked through the ranks and summarily executed every 10th soldier until six soldiers lay dead on the field. He got their attention, and the unit was instrumental in the subsequent Soviet counterattack that led to victory against the Nazi invaders.
Obviously, I do not support such extreme and violent methods of accountability, yet the example does make you pay attention. As we grapple with today’s digital “enemy at the gates” or even the “enemy inside the gates,” the importance of accountability for failure to properly protect the information our national prosperity and security depends on has never been more important. Firing CEOs and CIOs is typically a public gesture enacted to diffuse blame rather than address the root causes. Sadly, accountability and ownership often are missing components in cyber strategies and risk management planning at a time when risks are ever-increasing. Therefore, it is critically important that all organisations better manage cyber risk by embracing a culture of accountability and ownership that guides the implementation of due care and due diligence measures.
What is "due care?"
I define due care as “doing the right things” and due diligence as “doing the right things right.” Unfortunately, I’ve found too many organisations where due care and due diligence are not occurring. For example, ask most cyber incident responders about the root cause of cyber incidents and they likely will sigh and point to the “usual suspects” –failure to patch, misconfigured systems, failure to follow established policies, misuse of systems, lack of training, etc. As someone who led incident responders in both military and civilian government organisations, I found one of the great frustrations of cyber professionals is when they see leadership ignoring or tolerating the so-called “usual suspects” and not holding people accountable for a glaring lack of due care and due diligence.
While many media reports these days focus on the very real and present threat of well-funded nation-state actors, I contend that the greatest cyber threat we all face is what I refer to as the “Careless, Negligent and Indifferent” in our own ranks. Failing to properly configure a system so that it exposes information to unauthorised personnel is an example of carelessness. Failing to patch critical vulnerabilities quickly or implement additional compensating controls until the patch is ready for promotion could be considered negligence. Failure by personnel indifferent about following established policies such as prohibiting password-sharing exposes organisations to increased cyber risk. While nation-state actors get all the hype, I contend that more than 95% of all cyber incidents are preventable and are the result of the Careless, Negligent and Indifferent in our own ranks. We should not accept this!
Do we need more legislation, regulation or policies to thwart the threat posed by the Careless, Negligent and Indifferent? Do we need to continue our habit of buying the next neat technology in hopes that its “silver bullet” defence will save the day? I don’t think so. I believe what is needed is to execute our existing policies better and hold those who do not follow those policies accountable. While we can’t eliminate our cyber risks, we certainly can reduce our risk exposure by executing our plans, policies and procedures with greater velocity and precision. When we do so, we are exercising due care and due diligence that protects our brands, reputations, customer data, intellectual property, corporate value, etc.
Accountability must be clearly defined, especially in strategies, plans and procedures. Leaders at all levels need to maintain vigilance and hold themselves and their charges accountable to execute established best practices and other due care and due diligence mechanisms. Organisations should include independent third-party auditing and pen-testing to better understand their risk exposure and compliance posture. Top organisations don’t use auditing and pen-testing for punitive measures, but rather, to find weaknesses that should be addressed. Often, they find that personnel need more training, and regular cyber drills and exercises to get to a level of proficiency commensurate with their goals. Those organisations that fail are those that do not actively seek to find weaknesses or fail to address known weaknesses properly.
Sound execution of cyber best practices buys down your overall risk. With today’s national prosperity and national security reliant on information technology, the stakes have never been higher.