When we hear the phrase cybersecurity many things may come to mind. You might think of such things as:
Viruses and malware
You might also think of things more technically in terms of:
Internet of Things (IoT)
You might also think of things in terms of what is at stake, such as:
Loss of identity
Loss of reputation
Loss of business or the loss of your business
Each of these groups represent the kinds of things that need to managed holistically, together, as a system, and pardon the pun, without any holes or as they say in the cybersecurity world, vulnerabilities.
But what happens when vulnerabilities are exposed and what is valued is not protected?
The LifeLabs Breach
To explore the concept of cybersecurity and to bring the topic closer to home I thought it helpful to look at the LifeLabs breach that happened in Canada in 2019. Here are some of the key facts surrounding the event:
This was the largest breach in Canada resulting from a ransomware attack
15 million people across Canada were affected by the theft of their private data.
LifeLabs is reportedly facing lawsuits (in the billions) and certainly a loss in reputation and perhaps, maybe more.
In recent weeks, I received an email from LifeLabs which was also sent to others affected by the breach. This latest communication outlines LifeLabs latest response in the wake of the ransomware attack. In the letter we read that LifeLabs has now:
Appointed CISO (Chief information and Security Officer)
Added CPO (Chief Protection Officer) and CIO (Chief Information Officer)
Investing $50M to achieve ISO 27001 certification (international standard for information security management)
Engaged third-party to evaluate their cybersecurity program
Established an information security council
Strengthened their detection technology
Implemented yearly security awareness and training
This certainly sounds substantial and it is.
However, what this list of actions also tells me is that they had very little in place prior to the breach in terms of management accountability, oversight, standards, or anything that would let them know how well they were doing with respect to protecting patient data.
It is good to see that they are addressing these now, perhaps, too little too late; time will tell. What we do know is that it will take time before these changes will significantly impact the improvement of their defences which they should have started to do years ago.
Cybersecurity Risk Landscape
When we look across the cybersecurity landscape one can make the following observations with respect to risk:
Threats to people and things we care about are all around us and perhaps always will be.
The risks that matter are connected with what is valued, and there are plenty of bad actors who are interested in what we value.
The conditions for cybersecurity risk are also increasing, specifically now as more employees are working from home than ever before.
Every company has a cybersecurity program, some are more effective than others.
Cybersecurity is not only a technical problem; it is a business problem that requires a business solution.
It is the last one that needs to be highlighted, underscored, and acted on the most.
Cyber risk is a real threat, involves technical measures to address but is foremost a business problem that requires a business solution. LifeLabs' failure to prevent a breach was a failure in leadership and management which they are now attempting to address, and not necessarily a failure in their technology.
Leadership intention and management commitment are needed for companies to keep the dragon of uncertainty from penetrating their defences and stealing their gold in whatever ways that is defined.
Lack of Intention
It used to be said that:
There are two kinds of companies: those that have suffered a cyber-attack, and those that will.
But now, we say it this way:
There are two kinds of companies: those that have suffered a cyber-attack and those that don't know that they have.
When they do find out it is often too late, and the effects too severe for many companies to survive its effects. Waiting until you have been breached to improve your cybersecurity defences is probably not the best business or technical strategy. However, many companies still take the wait and see approach.
So what might motivate organizations to be more proactive with respect to improving their defences?
Companies might consider a legal motivation. Regulations do exist and are expanding to compel organizations to establish adequate programs and measures. However, they are have not kept and fall short to adequately contend with cyber safety. Waiting for regulations to tell you what you must do will mostly likely also be too late.
Improving cybersecurity defences is beneficial to reduce insurance costs, improve efficiencies if done correctly, and prevent disruptions which contributes to greater resiliency for your business. While these are all valuable outcomes, they are often considered as goals that are worked on after all other objectives have been met.
Keeping what you value safe and protecting against lost can also be a power motivator particularly when it involves the safety of people and their livelihoods.
But what lies behind all our motivations, is our intention. It is a company's intention that ultimately determines the effectiveness of their cybersecurity program and motivates improvement that are made.
Research has shown that intention significantly determines what is accomplished. If your intention is to achieve ISO 27001 certification, for example, then that's what you will get, most likely, but you will most likely not improve your cyber security.
However, if you want to improve your cyber security and choose ISO 27001 as the means to do that, then you will not only receive your certification, you will most likely improve your cybersecurity as well. You will get both.
Where you aim determines what you achieve. Which is why organizations need to choose their goals well including those to improve cyber safety.
In our next blog article we will look at various standards, guidelines, and strategies companies are using to address cybersecurity risk.