Shivers, confusion, and a slight panic – the feelings rush through your body as you know something has gone terribly wrong. You never thought it could happen to you, but there it is… Your cybersecurity has been breached…
This was the scenario for Uber in November 2016 when they were faced with a critical security attack. Hackers had stolen data containing 57 million of their driver and rider accounts. Other major players, such as Yahoo and the UK’s National Health Service (NHS), have also been in similar situations in recent years. Only a few weeks ago the Norwegian counterpart to the NHS, the RHF, had half of Norway’s personal health records stolen. And this week is no different, this time the official Winter Olympics website was taken offline after being hit by a cyber-attack. Seemingly, it’s no longer a question of if an organization will be attacked, but when.
Many, still, do not consider that anything bad can ever happen to them or their surroundings. Of course, that is not correct. This way of thinking is called optimism bias, and it can cause the downfall of any corporation not taking the necessary steps to protect themselves.
why not to be optimistic about cybersecurity
Optimism bias means that we automatically assume that only good things will happen to us. Say you’re a heavy smoker. You then automatically believe you will be lucky and die of old age. However, if someone else smokes a pack of cigs a day, surely that person will die of cancer.
In an article by The Guardian, cognitive neuroscientist Tali Sharot explains that overestimating the outcomes is what people do instinctively. Humans routinely stay optimistic and hopeful, even when it is not rational to be so.
According to Sharot, the financial crisis in 2008 was a result of optimism bias. When all evidence confirmed that the market wasn’t right, most people kept thinking that it could keep going up, up, and further up. How come? Well, studies have shown that 80% of the population will be slightly too optimistic when they are faced with difficult circumstances.
Cybersecurity: A glass half empty rather than a glass half full
A recent report from Deloitte states that 72% of cyber-attacks aren’t discovered for weeks. Even so, only 7% of organizations consider cybersecurity a top priority when it comes to their digital transformation. Is there reason to let the mind wander to optimism bias? Maybe.
Cyber threats are growing rapidly. Now is as good a time as any to shift focus, examine strategies, and move cybersecurity to the top of board-level agendas. Because cyber risks are not only an IT issue, it is also one concerning leadership and governance. Effective cyber risk management starts with the awareness of the board. As a part of corporate accountability, it is crucial to stay on top of an organization’s security protocol. Regulatory controls are not to be overlooked. These are no ‘obstacles’ that need to be overcome, but rather something to include in the corporate routine.
The one piece of advice that can improve cyber risk management is to consider the glass as half empty; Be cynical. And do not be fooled to think any of the following:
- You are not vulnerable
- There are no broad consequences if an attack were to happen
- Monitoring threats can be done by using internal resources only
No matter the size or needs of your corporation, trustworthy security software is ever so important.
Stay realistic in a cyber breached world
In late 2017 when the story about Uber’s security breach broke, it also came out that they had tried to hide their “hiccup” by paying hackers to delete data and sign non-disclosure agreements. Whether that decision came from optimism bias, that no one would ever find out, is only for them to answer.
Now, this has not been the end of the world. Uber, as a company, is obviously not collapsing, but its credibility is on its brink. And when translated into true costs, this can mean millions of dollars lost as the company is facing legal actions.
While many board-level decision-makers, surely, understand the importance of secure data protection, some probably still prefer to believe a data loss won’t happen to them. Though if there is one thing to take away from the Uber debacle: Better to be safe than sorry.
“For us, security is a constant and continuous effort.”