TL:DR – Anyone trying to convince management (internally or externally) of the need to invest in cyber security must start by highlighting relevant examples of risk management failures that appeal to both their logical reasoning and their “croc brains” on the emotional side. They need to know that ignorance of information security risks is indefensible and inexcusable. This article illustrates how “easy-to-guess, worst case scenarios” are forgotten when leaders are ignorant or oblivious to information security best practices. Managers must learn that making a modest investment in assessing and addressing those risks is now mandatory, and has clear benefits to their organization.
We’re all pretty bad at judging risk, but managers need to make an effort
You don’t have to look very far to recognize that humans are not good at understanding risks, let alone managing them. For example, you may have heard of the paradox where people who are deathly afraid of being eaten by sharks (a very low actual risk – one death per year in the USA) don’t seem to fear dying an equally gruesome death in a car accident; an event that is 30,000 times more likely to occur.
We may laugh at people who choose to value certain risks differently than we do. But when it comes to businesses, we must demand that leaders be more grounded, and able to make relatively rational decisions about risks that may seem unpredictable at first glance. They should also be encouraged to acknowledge the human pain and suffering that can occur when they decide not to properly secure their customers’ data.
Sadly, when it comes to information security risks, many executives seem reluctant to admit that their own organization could be hit with a devastating cyberattack. “It won’t happen to us” or “We’re not a target” are the most common visible symptoms of this affliction. But the signs are clear that every organization is now a target, and if you don’t prepare your people, processes and technologies, you will soon be wishing you invested a little more in security measures like two-factor authentication for IT administrators, or employee awareness training for all staff.
The recent news story of the Guntrader website data breach in the UK that affected just 111,000 citizens doesn’t seem huge, but it turns out to have become a potentially life-threatening risk for many of the victims. Guntrader is an online marketplace forum for gun-owners who want to buy and sell firearms. It was apparently breached in July, 2021 in what appears to have been a very predictable event, even though the actual timeline involving animal rights activists stealing and dumping gun-owners’ location data from the site as the primary threat scenario might not have been obvious to anyone.
For whatever reason, the company managers allowed the website to store the precise geographic locations of most of these customers. They probably never even thought about analyzing the risks to which they were exposing their customers versus the investments required to protect that sensitive data. They may not have even thought of it as being sensitive data. However, what may appear to be an unfortunate accidental leak of personal information could be a very real and unacceptable neglect of management’s responsibility.
How could they have known that an “activist group” might break into their website and steal data that was only intended to be used to help buyers and sellers locate each other? And how could they have also known that when that group deliberately published this data, that criminals would find a way to precisely locate thousands of homes and businesses where firearms were stored? Who could blame them for not foreseeing this very improbable scenario?
Actually, any manager that knows how to assess cyber security risks would have spotted that scenario in seconds, as soon as a valuable asset, such as guns, is paired with precise geographic locations, and then grouped together into thousands of records in a single database. This should really be a case study in every first year management course.
One thing we have learned in the past 10 years about cyber security risks is that bad guys will eventually find a way to abuse the features we hope will provide convenience for customers. The bottom line is that “every new benefit to the good guys, also presents an opportunity for the bad guys”. But most leaders have not yet learned to routinely consider how any features they add might be abused by an attacker.
For the benefit of skeptical executives who still feel they shouldn’t be held responsible for not anticipating a cyberattack on their own business, I’ll suggest three simple things that Guntrader managers could have done to properly assess and address these kinds of risks. We don’t know if they actually attempted to do this or not, at this point.
1 – They should have recognized that their website would be a target for various attackers, especially criminals, simply because of the presence of firearms. Every business that’s worth anything has something worth attacking. Start with the question, “Who might want to access what we have, for any reason?” This is simply a business’s “Ideal Attacker Profile” (as contrasted to the “Ideal Customer Profile”).
2 – Once they have that knowledge, managers should be asking, “What do we have (or should we have) in terms of information security measures to protect our customers’ private information from highly motivated and capable attackers?” (I call this “Charlie Weaver block” – as in 1960’s Hollywood Squares game show.)
There are established, well-published guidelines all over the Internet to help businesses protect their systems and data against the most common methods of attack (or the low-hanging fruit such as phishing and social engineering threats).
3 – When threat agents like activists and criminals can be easily characterized, management needs to minimize the data that could be of value to an attacker; never store more data than you need. In this case, precise geographic coordinates aren’t necessary to show a buyer the approximate location of a seller who has a gun they want to purchase. The risk could have been reduced significantly by making the location data intentionally less precise, so an attacker wouldn’t have any expectation of deducing an actual building location where firearms are likely to have been stored. This is traditionally called “Data minimization” in privacy and risk management circles.
When you recognize how easy it would have been to spot and address the risks in cases like the Guntrader breach, it’s going to be harder to forgive managers who have failed to be proactive. This breach might still result in deaths that could have, and should have, been avoided. Keep in mind that the potential victims may even include unrelated people. For example, anyone who may have just moved to the same location as a customer of that site, at some time since they first began storing data 5 years earlier, is likely to have their location identified in that exposed data.
Once data is stolen, you don’t know what it will be used for, but you can often guess
In most data breach news stories that come out before all the details are even known, we often hear the calming phrase, “there is no evidence that any of the stolen data has been abused in any way.” This has usually been the most effective way for affected organizations to get the news cycle to pass it by. This is what I refer to as the “Jedi data breach whitewash”.
In the Guntrader breach case, there seems to be quite a bit of evidence that the data was abused, and in a big way, which may have put thousands of people at risk of having their homes or offices targeted by criminals. For those of us who want to make sure that businesses and governments take more responsibility for securing sensitive data, we should feel compelled to start highlighting stories like this one. These plausible scenarios and alarming outcomes represent very illustrative examples of many managers’ unhealthy desire to ignore or discount cyber security risks. The easily anticipated outcomes can literally result in life-threatening and even tragic situations.
A word about FUD
The greatest criticism of this argument will likely come from those who care more about saving tangible dollars in the short term against investing in unknown benefits. They will say we are spreading unwarranted “Fear, Uncertainty and Doubt” (FUD). But FUD is really only unwarranted when risks are over-emphasized, and we are clearly a long way from having cyber security risks under control in most businesses.
So, in a sense, “accurately describing risks” may be considered to be FUD by some people, but it is not only warranted, it’s long overdue. The real criticism should be aimed at those who are downplaying the very identifiable and significant risks that can easily be avoided.
It’s easy for managers to put their “shields up” and be skeptical of security solutions as a way of not having to deal with the risks. But they need to be able to spot potential opportunities to improve their security posture where it is needed.
What should managers be doing to make sure they are in a defensible position with respect to cyber security risks?
Here are three questions to ask when the idea of “investing in basic security best practices” seems unattractive from a management perspective:
1- What information assets do we have that could be targeted for theft, abuse or destruction?
2 – What would the worst case scenarios and injury be, assuming a capable attacker was able to compromise those assets?
3 – What are the best practices AND the most effective measures for reducing the likelihood and impact of an attack?
If you don’t know what a breach is likely to cost and who might be affected, it’s impossible to decide on the appropriate level of security investment or where to put it. But you really should know that for most businesses, a cyberattack will happen at some time. (A 2019 report by Proofpoint showed that 88% of all businesses experienced a spear-phishing attack in the previous year.) You just don’t know when it’s going to happen, or how extensive the damage will be.
Best practices generally require a reasoned balance of security measures across “people” (through security awareness training), “processes” (through solid governance structures) and “technologies” (for consistent application of security rules in information systems). No single security measure will be the best solution.
Risk assessments must be embedded into business processes and enforced by top executives
A risk assessment can be done as a “management analysis” to consider all plausible threat scenarios. I say “management analysis”, because this doesn’t have to be a deeply technical, black magic ceremony. It’s really just brainstorming on how an attacker might take actions you haven’t thought of, and then estimating the potential damages or injury that might occur to the organization or its stakeholders.
It’s time for executives to stop assuming that “we don’t have anything worth attacking”, or that “nobody can predict every action an attacker might take”, and especially that “we aren’t vulnerable” (without justification). There are a lot of proactive measures that can be undertaken easily to anticipate and address cyber security and privacy risks, which most leaders are not yet doing. They need to learn to manage the risks that are relevant to their business now, or they will soon find themselves regretting that they are in an indefensible situation that could have been easily avoided.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.