I want to take this opportunity to summarize two or three recent studies I read concerning cyber risks. I do this especially in light of the fact of the recent news showing more than one billion (yes that's billion with a B) Yahoo users were the subject of an attack almost three years ago.
My official Murph "rub you raw" comments are highlighted below.
Against the background of multiple high-profile data breaches and cyber attacks, a growing number of businesses of all sizes see cyber risk as one of their biggest issues next year – and beyond.
Well, the good news is they're at least recognizing it as a risk.
Globally, corporations across most industrial sectors expect the frequency and severity of cyber-related events to increase. Firms in North America, especially in finance, professional services, wholesale and retail, rank cyber risk higher than their counterparts in other countries.
At this point, I really could care less if a merchant in Antarctica sees cyber risk as more than theoretical.
Data breaches, both malicious and accidental, are the biggest cyber risks on the corporate agenda.
Probably ranking right below what 32 flavors of ice cream will be served during the board meeting's afternoon break.
Malicious data corruption, theft and misuse are the top risks based upon a growing number of criminals who seem to be targeting attacks on firms’ intangible information assets. The risk of accidentally exposing or corrupting data is the secondary major concern, in part, because most recent breaches of notoriety have occurred as a result of legitimate user credentials (weak, default or stolen passwords) being maligned for access.
So, have they never heard of a cattle prod to correct password ignorant personnel?
Most corporations expect that these risks will increase substantially over the next few years.
Ya, think.
Senior management at firms that rank cyber risk as high are engaged and knowledgeable about the evolving threats, especially as they relate to areas such as finance, consumer products, energy sector and the hospitality sector.
Hey, did you read something in the paper about some 'yahoo' having data stolen? Who, which 'yahoo' are you talking about?
Even with this awareness, many firms remain ill-equipped to respond, in part, because cyber security rarely is linked to business objectives and strategy. It's typically considered a purely technical issue. Companies fail to see the potential effect upon their bottom line, either directly, or as a result of bad press associated with a major attack.
They are "too big to fail," even if they give your social security number to every crook on the planet.
Generally, corporations see cyber risk as an IT issue, rather than an asset risk management issue. Big businesses simply don’t know or understand how to evaluate cyber risk, in part, because risk managers don’t seem to be able to quantify the dollar value of such risks.
Now they want to blame their lack of understanding on the "bean counters" who don't know how to count beans they can't spread out on the table and put into a jar.
Technological progress has resulted in a proliferation of digitally connected devices, an explosion of ecommerce and the integration of the Internet of Things.
Next thing you know, Joe Woodards' predicated "Rise of the Machines" super-computer will be sitting at the corporate board table.
These changes are not only boosting economic activities by turning mom-n-pop shops into global distributors and major retailers into ecommerce wholesalers, but they're impacting everything in the supply chain, from product design and manufacturing, to distribution, spending and payment channels.
Is globalization at the lack of self-identity really a good thing?
At the same time, these technological and economic trends create significant challenges impacting the potential benefits from digitalization. In the absence of clear and agreed-upon architectures for connected systems, technical IT vulnerabilities are growing almost as fast as the system as a whole.
Because cyber criminals can adapt about 10 times faster than the rest of those trailing behind – try to stop them.
Cyber security and how to manage the associated risk is an increasingly important topic, yet one that's too often under planned for, if not overlooked, altogether.
"They will never want my information." "Keep those strong password requirements to yourself."
From an Information-Risk talent and skills perspective, 60 percent of firms which rank cyber as a high risk do not feel confident that their workforce currently has adequate skills to cope with threats. Smaller firms are especially vulnerable.
The cyber-tech schools still are teaching the vulnerabilities of DOS. How could there ever be enough 'brainy' guys to defeat cyber crime? Everyone smart becomes a hacker by age 7.
Less than half of all firms conduct regular risk assessments or document risk practices. And the vast majority of businesses, or all sizes, still manage cyber risk in an ad hoc manner.
Hey, my town has a fire department, I don't need my own "firewall."
Few companies take a business-wide approach to cyber risk management, even among those who say they see a cyber attack or data breach as a significant threat.
The next best thing to do about cyber threats is play golf at the country club next Thursday.
Can you read between the lines? Nobody's doing a thing about cyber risk. They're waiting around for it to happen.
And that really rubs me raw.
I heard a good line about cyber self-protection the other day – The next time an internet site asks you for information, just lie. If they want your mother's maiden name as a security question, given them "Idunno" as her last name. If they want your date-of-birth, tell them your birthday is "7/4/1776." And for that social security number inquiry, try saying "123-45-6789."
You get the picture. If all these internet-based trustworthy(less) businesses are going to do nothing but give your information away to any hack who can attack, then let the hack attack blast the internet with even more lies than it currently spouts on a daily basis.
Even better, just given them Mr. Underhill's American Express Card number (please watch the movie, "Fletch."
And that's my two cents.