We all know the importance of good personal health, right? For instance, weight loss reduces the risk of heart disease, blood pressure and diabetes, and can extend an individual’s lifespan. But we still eat burgers and fatty foods – perhaps until something drastic happens to our health, which is when we act. Similarly, smoking significantly increases the risk of lung cancer and a variety of pulmonary diseases, but that doesn’t stop us from partaking in this activity. Our rationale? If we were to acknowledge every single negative or risk, life wouldn’t be worth living. Perhaps! Also, we don’t see the value of pre-empting such health scares – the benefits of good health are intangible – until ill health strikes.
As humans, we apply the same rationale to cybersecurity. Despite knowing that social engineering in the form of CEO fraud and invoice fraud, is one of the biggest cybersecurity threats, it is difficult to grab the attention of senior executives – until there is a breach.
There are two primary reasons for this that I’d like to highlight. One, is the misconception that phishing and social engineering tricks the stupid people. The reality is to the contrary. Criminals aim their attacks at the crème de la crème of society and business to use their power and authority to make monetary gains. So, the thinking on the part of individuals that “it won’t happen to me” doesn’t apply. Additionally, often these individuals take the view that the cybersecurity is being taken care of by the organisation’s security/IT department. However, given the nature of social engineering and phishing every single employee must be engaged with and alert to such threats.
The other is that cybersecurity doesn’t make businesses money. The C-suite looks at the world through the profitability lens and cybersecurity doesn’t directly fit into that paradigm. Neither is it a resource to further business goals and strategy. So, unless an organisation actually sees the damage (financial, reputational, operational) caused by a breach, they are lulled into a false sense of security and complacency and hence don’t direct attention to the function because they don’t have a tangible value on the return on their investment.
It’s a business imperative today to invest in cybersecurity. Rather than acting after the event, organisations must invest to pre-empt breaches. Security awareness and training programmes are a must. On the technical side, I can’t emphasise enough the importance of the domain authentication protocol, DMARC. It’s a no brainer for curbing email fraud and potentially takes under 30 minutes to set up. For instance, if an individual receives a spoofed email from a customer, DMARC will prevent that – rather than going into the Outlook Inbox, it will go straight into the Spam folder or not be delivered at all. Essentially, DMARC makes it harder for criminals to deliver fraudulent emails.
Complacency on the part of individuals and organisations is what cyber criminals are banking on, as the old adage goes – prevention is better than cure. Taking the hassle now to put security measures in place will honestly save organisations a lot more “hassle” after a breach takes place. The same applies to health.