[Reading time: 2 minutes]
BEFORE I BEGIN..
If you’re interested in hearing more about cybersecurity for regulated financial services firms or about the common ways that most attacks succeed, I will be discussing these topics on an Irish Funds webinar at 9am tomorrow (Friday 27th January).
This is your last chance to register.
And thanks to the 300+ people who have already signed up!
END OF INTERRUPTION
What gets measured tested gets done
I mentioned yesterday that 73% of CEOs agree that regulations help to reduce an organisation’s cyber risks.
Credit: WEF Report, Figure 2, Page 6
To school through the fields
It got me thinking of my school days:
- I’d start the year committing to learn everything about a subject.
- And finish the year asking the teacher ‘will it be in the exam?’
What has this got to do with cybersecurity?
As I mentioned yesterday, in the run up to GDPR, I recall a significant increase in companies seeking guidance on how to improve their cybersecurity defences.
Looking back at that time, it is clear that:
- Many organisations did not suddenly choose to act because of the risk of a data breach – That risk existed before GDPR.
- They chose to act because of the risk that the breach would become public knowledge, resulting in reputational and financial damage.
It was this fear of publicly failing a test that drove action.
What gets tested gets done
This is why I think the results of this WEF survey are insightful.
- When we were at school, we focused on the things that we would be tested on (by our teachers).
- And today, we still focus on the things that we will be tested on (by our regulators).
So what?
In our preparation for a test by regulators (which may never happen), we mustn’t forget about the things that cyber attackers test us on (frequently).
Fortunately, most of the tests from cyber attackers include some very simple questions.
For example:
- How do you ensure your staff are aware of why and how they are targeted?
- How do you stop a malicious email getting through to a staff member?
- How do you protect your bank account so one staff member being fooled does not quickly lead to financial loss?
- How do you ensure an attacker needs more than just a password to log in to your systems?
- How do you ensure you won’t lose critical data and systems if your other defences fail?
The questions are simple because the attackers know many organisations will fail the test.
So what to do?
Make sure you are preparing for the most likely tests.
If you’re unsure about your preparations, take 2 minutes to find out: https://score.codeinmotion.ie
If you know you’re not ready and you need help, I’m here.
PS If you want to look at past exam papers, here are two good ones:
- DPC report on a breach at the Teaching Council of Ireland – I discuss this incident here.
- PwC report on a cyber attack at the HSE – I’ll talk more about this soon, but here’s an excellent executive summary from PwC.