I describe the four main cyber security vulnerabilities as the ‘Four Horsemen of the Cyber Apocalypse’. I believe it helps organisations to understand it’s not just about IT.

Cyber crime culture

In response to an unexpected career change in 2019 I decided to go back to university and the year that followed was one of the most rewarding challenges of my professional life. After many years of leading Telecoms technical operations in Asia I chose to study full time as a mature student and completed an MSc in Cyber Security at City, University of London.  

A torch light highlights in the darkness a black and white plastic Guy Fawkes mask. The mask shows a menacing looking smile.

I find the subject incredibly exciting because it’s combining technology with the real world of crime and illegal activities. Where Dark Nets and the Deep Web offer hints at secrets yet to be discovered, and evil hacking groups match their wits against the cyber defences of entire nations in a new cold (cyber) war.

Cyber crime even has a strong subculture associated with it – the Guy Fawkes mask (made famous in the British graphic novel ‘V for Vendetta’, written by Alan Moore and illustrated by David Lloyd) is synonymous with hacking culture.

Consequences

However, there is a real and very dark side associated with all of this. McAfee estimates that the costs of cyber crime now represent 1% of global GDP, a trillion-dollar industry; up from $445Bn in 2014. Some sources even put the current figure much higher.

The very tangible effect of attacks can be felt in the loss of critical national infrastructure. Take the attack on the Colonial gas pipeline in 2021 – fortunately on that occasion it was only felt on a temporary basis.

At a more personal level, it is heart-breaking to see the damage from a ransomware attack on a government organisation that actually exists to help people.

Cyber risks

For all organisations, the challenge is how to understand and assess the risks, and then how to protect against them. Yet cyber is not well understood, growing as it has out of the IT infrastructure that has traditionally been left with the ‘IT crowd’ to manage.

Cyber is never really the Exec’s priority – as long as it all works nobody cares about the how.

In response to the growing threat, a multitude of companies have sprung up offering various services and products that are meant to protect us. In 2019 the Wall Street Journal noted that there were over 3,500 cyber vendors plying their wares.

Few of these products integrate together, resulting in an ever-increasing workload for security teams trying to make sense of what the various tools might tell them. If only they could interpret the deluge of data from the disparate sources? Pity the security professionals left trying to stitch together a workable security solution from the individual parts, hoping to make their organisations safe.

As a director of the UK’s National Cyber Security Centre (NCSC) recently commented “…a lot of the industry operates in much the same way as medieval witchcraft: buy my magical amulet and you’ll be fine.”

Cyber weak points

The challenge to being safer for any organisation isn’t solely technical, it has to come from a proper understanding of an organisation’s business operations. Why? Because that is where the vulnerabilities lie – hidden in forgotten, unpatched assets.

It may be a handoff between human operators that can be spoofed; an out-of-date operating system that talks to the bank; or security CCTV monitors installed with their default passwords left unchanged.

Finger points to the word security.

Four horsemen of the Cyber Apocalypse

For management – and this is a management wide issue – they face four major challenges. What I like to refer to, in a nod to the drama of cyber’s subculture, as the four horsemen of the Cyber Apocalypse:

  • Ignorance
  • Fear
  • Management
  • Staff

Ignorance

Let’s start with the first rider, ignorance. Look to online sources for help and you can find a lot of solid advice such as:

  • keeping your software patched and up to date
  • ensuring that 2-factor authentication is enabled for all logins
  • maintaining back ups of critical systems

But this assumes that the company knows what its IT assets are – its attack surface.  The reality, especially for larger organisations, is that ignorance of the true scale of systems used – software and hardware – is a major issue.

How well do you actually know what you are trying to protect?

How well do you know the data and associated systems, both hardware and software, not to mention all the end user devices, and the myriad connections to the internet or other systems? Figuring that out can be an enormous initiative all on its own.  

Then you have to analyse what the potential threats are, but again, this will only make sense if you have a firm understanding of the systems you are trying to protect. This is made more complex by the need to understand how the technology enables and interacts with business processes.

Many successful cyber attacks have taken advantage of the way in which the tech is implemented: human interaction can provide opportunities for attackers to breach system defences that otherwise seem insurmountable.  

The BBC podcast ‘The Lazarus Project’ from 2021 describes a masterclass by North Korean hackers in how to hack on a complex scale, utilising both technology and an understanding of the underlying business operations.

And if all of that wasn’t a big enough ask, the risk now extends through the technology supply chain. How secure are the companies that provide services to you? They can become an unwitting back door into your systems. 

Fear

The second horseman is fear, and as one previous boss was fond of saying – “Fear leads to irrational behaviour”.

If the challenge of cyber creates a culture of fear in an organisation, the irrational will happen. This can be seen as implementing tools that aren’t properly understood, but it’s hoped will protect – those ‘magic amulets’, or a culture of fear around screwing up. The end result will be a vulnerable organisation that doesn’t understand the risks inherent in its systems and operations.

Fear can also incapacitate; nothing gets done because the task seems too complex, and hence overwhelms. That is until they are forced to act by legislation.

It’s interesting to note that the arrival of the GDPR in 2018 forced organisations collecting, processing and storing the personal data of EU citizens to do more to protect it.  

Research completed by business advisory firm RSM UK found that 68% of businesses across Europe reported investment in cybersecurity due to the GDPR requirements. These investments seem to be paying off, as 42% of companies agreed that the GDPR had made their business safer from cybercrime.

No doubt the process of standardising security will continue to grow on a global scale with the onset of more legislation. The fear of huge fines and personal liability forcing decision makers to act.

Management

Our third horseman is management. Perhaps a better but less pithy term would be ‘management that doesn’t understand its role in security’.

Every manager has a role to play, from the technology leads to the head of HR. An understanding of how security works within each team has to be agreed and communicated across the whole company. Management have a responsibility to ensure that the correct behaviours and awareness exist within their respective areas.

The biggest mistake organisations make is to leave it to the ‘security team’ in the corner, with the hope that they are on top of it. As the saying goes: hope is not a strategy. 

Staff

The final horseman is staff – employees in general. If they are ill prepared or unaware, then they will become the weakest link.

In a worst-case scenario, disgruntled (or desperate) employees could become an accomplice to an attack, accepting an offer from a hacker group for a percentage of whatever is extorted from the organisation post ransomware attack.

Male and female sat at computers in a darkened room. both are concentrating heavily on their computer screens.

Employees who fear reporting incidents (or don’t know how to) are likely to cover up the very issues that the security team want to be alerted to.

Part of the solution is ensuring that no single employee can do too much damage – limiting their ‘blast radius’ through ‘zero trust’ policies. Employees should only be able to access / change what they need to – no more. 

Control

The four horsemen can be tamed to a large extent through good management; and it is that point more than any other that I want to make.

Bringing my previous career experience in operations and consulting in cyber reinforces the realisation that cyber security is fundamentally a management issue.

The technology alone cannot and will not protect the organisation without a solid understanding of how it fits with, and is a part of normal business operations.

You cannot protect what you don’t know, and you cannot protect yourself from threats you don’t understand. The only way to do that is to open the conversation to a wider audience, involving the whole organisation – security has to be a group activity. Each team has a role to play – both implementing security, and communicating security.

While the threat to an organisation may well be a hacker sitting in front of a bank of screens, securing the organisation requires pragmatic business skills. These skills must be built on a firm understanding of the everyday business processes, as much as it does strong cyber know-how. 

Are you taking a holistic business wide approach to your cyber security? If you need help then get in touch and let’s have a chat.

Sign Up! For proven digital transformation advice and resources – blogs, interviews, webinars, guides and more.

subscribe

Simon Clayton-Mitchell