Simon Whitburn, SVP, Nominet Cyber Security Services, discusses how advice from the motivational classic Who Moved My Cheese? is relevant to cyber security.
It may be two decades since the motivational business fableWho Moved My Cheese?set the world alight (to date it has sold more than 26 million copies worldwide), but the allegorical tale of a cheese hunt is certainly still relevant to the challenges companies face today.
Or, specifically, to the biggest challenge of all: cyber security. Businesses large and small are facing the complex task of creating, maintaining and reinforcing cyber security provision that can keep pace with the evolving complexity and ferocity of cyber crime.
The only constant with cyber crime is change. Criminals are on the hunt for data and their methods alter with each technological advancement – and to keep ahead of the increasingly complex law enforcement strategies. Who Moved my Cheese? provides some key messages for those looking to cope with change. The fundamentals can be applied to our approach to cyber security to help businesses engage effectively with the issue.
In the book, the mice and humans are scouring the maze for cheese. The mice prove more ingenious, but at last the human character Haw realises how to maintain his cheese supply by embracing change and working with the system. The lessons learnt are thus:
Change happens. Anticipate change. Monitor change. Adapt to change quickly. Change. Enjoy changes. Be ready to change quickly and enjoy it again.
While the enjoyment element might be somewhat subtler than gorging on cheese, the satisfaction of keeping the business cyber secure should be reward enough. Dynamism is the overriding message: your cyber security provision needs to be informed, flexible and effective. Complacency is not an option. Security is a journey, not a destination, and your business must embrace change to survive.
Start by anticipating change. This means accepting that a cyber breach is simply a matter of time (as the experts keep telling us) and that your efforts must evolve continuously to cope with changing circumstances.
The next step is to monitor the landscape of cyber crime and cyber security. For example, Verisign’s 2017 Data Breach Investigations Report found that 75% of breaches are perpetrated by outsiders and 62% featured hacking, with 66% of malware installed via malicious email attachments. This is information that can guide your own provisions internally.
News stories are also a good source of preventative data. What can you learn from the mistakes of others? There is value in recognising that the recent breaches of NHS Trusts could have been prevented if updates were installed, or that the hack of email accounts belonging to British MPs was largely due to weak passwords. Don’t fall into the same traps.
Adapt your business by thoroughly checking your own systems, networks and staff. Greater visibility into your internet infrastructure could enable you to use it as an early-warning system for attacks and threats. Your DNS (domain name system), for example, is rich with intelligence and is a good place to spot malicious activity from hackers probing your systems for vulnerabilities.
Keep the company continuously moving towards safer, more secure practices. This includes reviewing the business carefully to identify weak spots and mitigating the vulnerabilities. Staff need to be trained regularly. Keep them involved in your cyber security efforts to create an environment of vigilance.
Consider your suppliers and contractors. Do you currently have a system or process in place to evaluate their cyber security posture? Develop a checking process to ensure you only work with people who prioritise their security. Lastly, ensure you have business continuity plans in place for when the worst happens. Mitigation and recovery will be the crucial steps following an attack that could save your business from irrevocably damage, both from reputation and data loss.
Being ready to change quickly should underpin everything. Be dynamic. Do all the above regularly and be prepared to change again at any point. Cyber crime is an evolving, capricious creature and must be matched with a flexible and proactive cyber security strategy if a company wants to have the best chance of limiting disruption and securing their assets. Think of your data like cheese and learn from a bestseller; resting on your laurels is no way to guarantee a sustainable supply of the good stuff.
Dr Sandra Bell, Head of Resilience Consulting, Sungard Availability Services, explains how dysfunctional behaviour during response and recovery can be avoided so that your organisation emerges on the other side …