Andrés Velásquez is the founder of MaTTica, a pioneer in the deployment of digital research laboratories in Latin America and his vision of security ranges from experience to awareness.
The biggest risk in terms of cybersecurity is that senior management does not know how to understand the risks of a organization.
As we increasingly depend on technology and the digital economy is being pushed by the pandemic, some leaders of organizations – small, large or international – still cannot understand what represents a cybersecurity risk.
In many cases, organizations are more concerned with innovating or approaching Digital Transformation, something that was accelerated with the arrival of the pandemic. They were privileged to continue operating remotely and provide services to customers digitally without considering that the risks were still there, and in some cases, they migrated to other places exposing the organization, its collaborators, their information and customers.
But at the beginning of this pandemic, it was not the time for those responsible for cybersecurity to refuse to allow access to all collaborators through a VPN or to allow them to use their personal computers to continue working. Operations needed to be prioritized.
How do we get to this point?
The risks are, by facing these changes, that a collaborator may have access to confidential information that he did not have access to before, that he is using a personal computer he shares with his family and, due to ignorance, now has a malicious code that exfiltrates information from the organization.
This risk increases because the collaborator connects to their wireless network that does not have a password and then several neighbours could take advantage of it and use it and then one of those neighbours could get affected with ransomware that encrypted the computers connected in that network.
Although, it seems like a horror movie, it is possible it will happen. The traditional risks are still there but they have changed location. The houses of each of the collaborators, their computers, and their mobile devices, became an extension or a branch of the organization over night.
‘But nothing had happened,’ a general manager of an organization once told me emphatically after being affected with ransomware that impeded him from using his computers and his publishing information contained in the affected servers. ‘Why me?,’ he asked.
Because we prioritized the operation, we did not see the risks and no one alerted us. We never saw that switching from face-to-face meetings to virtual meetings required a protocol to be able to prevent an unknown person from joining the session so that no one could record the conversations, and no one impersonated someone else in the session.
Let me explain a bit.
Overnight we enabled the videoconferencing tools which were already available in the organization with the free versions that allowed 45 minutes of the session. There was no training, there was no induction. Like in other areas, we stepped up to use it the best we could and the risks were not seen.
Visibility
Now, not everything is as bad. I think we are in a very good time to rethink the strategy. We see clear risks that we have to mitigate: the information that is now in different points, access to critical or confidential resources, the personal data of collaborators, clients and allies, as well as, in my point of view, the greatest current danger: The visibility.
The visibility allows us to identify what is happening in our network, in our infrastructure, in computers or mobile devices that have information about the organization. I do not mean to control too much, to know exactly what is being done, but instead, to have enough visibility and control to be able to react in advance and not reactively.
This brings me to something that more and more managers need to understand. There are two types of organizations: those that have already been breached and those that are going to be breached.
Be it a disgruntled employee, a vendor, a cyberattacker or a cybercriminal, they will have the opportunity, the means and the reason to obtain a benefit, or information that they can later exchange for their profit. That is, the economics of cyberattacks that could, depending on the country, become a cybercrime.
Once, I was talking to a counsellor of one of the largest financial entities in Mexico. We began with a talk on aviation, a topic that we both treasure as private pilots for entertainment. The talk changed to the topic of cybersecurity, where he confessed to me that the main problem is that managers do not want to talk about cybersecurity because they do not understand the risk. They do not know how to treat it and when the cybersecurity specialist arrives, he is not able to explain to the business the risk and where the organization is heading.
Immediately, I told him that I also saw it from the opposite perspective. The specialists had not identified the risk to the business, they saw it as a technological risk, a risk to what they see around their neighbour or what the supplier tells them.
If we add to that the issue of not speaking the language of business, it will be almost impossible to reduce the gap between managers or business decision-makers and cybersecurity specialists.
I commented to him that, given the common taste for aviation, it would be very challenging to fly a plane that has not been checked on the ground. Imagine arriving, getting on and starting the takeoff and, already in the air, checking if fuel or oil is at the right level. His face changed immediately: ‘Not even crazy, it’s very risky,’ he replied.
That is what is being done in cybersecurity, it is trying to solve some things when they are already in the production stage, and may put the organization at risk. If we add that, unlike operational risk based on outdated statistics and changes that are to a certain extent controllable, cybersecurity risk is changing – in many cases we don’t know how to face a new attack so we have to be more agile and clear.
At the end of the day, everything evolves and everything changes.
It’s hard to imagine implementing security for the home without making changes or improvements if something has just happened in the neighborhood. Neither do we imagine that cars are, in terms of safety, as they were at the beginning of the XXth century, without seat belts or new technologies as we have today.
How to get involved?
All of this is cyclical, it’s a constant.
So what do you do as a manager to get more involved? What can you do to have more visibility of these risks?
Managers have to understand at a very high level the risks in the critical processes of the organization. They need to seek out cybersecurity performance indicators, support awareness within the organization, being the first to comply with them and commit and get involved in the subject.
They need to get involved in a way that allows validating the cybersecurity of the organization, repeatedly asking the team of specialists:
- What are the most important threats to our business lines?
- What are we doing to mitigate these risks and how effective are these countermeasures?
- What is the residual risk and what are we going to do with it?
- Have we done exercises to measure effectiveness?
All this will allow you to have a conversation with the specialists, but also for both of you to have in mind what to do and understand what is going to happen.
Click below to share this article