This week:

3 – You don’t care about cyber security.

2 – You shouldn’t care if the global cost of cyber crime is $8 trillion or $8 billion.

1 – You should care if someone tells you to give them $50,000 in a shoebox.

 


 

3 – You don’t care about cyber security.

“In every survey, we are told that cyber security is a major concern and a top priority for organisations around the world. And yet, when [people providing security services or solutions] try to talk to the ‘normal’ people in these organisations about cyber security, their eyes glaze over. Why?”

That’s the question posed in a recent Cyber Ireland article. According to the author, it is “because [normal people] don’t want to engage in a detailed discussion about cyber security. And they certainly don’t care about magical solutions. They care about their strategic goals [and] about understanding and reducing the risks that might prevent them from achieving these goals. [Therefore,] if we want to talk to most ‘normal’ people about cyber security, we need to talk to them about reducing risk.”

So what? I completely agree with this article. Which is not really surprising, given I wrote it!

 


 

2 – You shouldn’t care about the global cost of cyber crime.

“In July 2023, Cybercrime Magazine published the claim that cybercrime is predicted to inflict damages totalling $8 trillion USD globally in 2023”. Many people, including the CISO of LinkedIn questioned this figure, because such a figure would make cybercrime “the 3rd or 4th largest economy in the world by GDP and the second or third largest industry, ahead of oil and gas, by revenue”.

The figure is discussed in a recent article in SecurityWeek, which questions the broader use of FUD [Fear, Uncertainty, and Doubt] in cyber security marketing.

So what? Whether the cost to the global economy is $8 trillion or $8 billion, it shouldn’t matter to you. What matters is the potential cost to you and your organisation if you are attacked. And the most pragmatic way to estimate the cost is to put this through your risk management process. This will force you to consider the real risks (likelihoods and impacts) of a cyber attack on your organisation, and then help you to identify the reasonable steps that you can take to reduce the risks so they are acceptable to you (aka ‘within your risk appetite’). In other words, cyber security is ‘just’ another risk.

 


 

1 – You should care about the CIA telling you to put $50,000 in a shoebox.

‘I put $50,000 in cash in a shoe box, taped it shut as instructed, and carried it to the sidewalk in front of my apartment, my phone clasped to my ear. “Don’t let anyone hurt me,” I told the man on the line, feeling pathetic. “You won’t be hurt,” he answered. “Just keep doing exactly as I say.”’

This is the first paragraph from an astounding story recently published by The Cut (and shared by Secure The Village), titled “The Day I Put $50,000 in a Shoe Box and Handed It to a Stranger”. I’m not sure I’d believe the storyline if it was an act of fiction. But, apparently, it’s a true story.

So what? In case you aren’t sure, there is never a legal reason to hand a shoebox of cash to a stranger!