It won’t happen to us: An optimistic outlook on breaches

21 October 2015


Since I made the transition from industry to professional services, I have spent a significant part of my working life getting out and meeting lots of organisations and individuals who are considering what the topic of cyber security means to them. This includes Chief Information Security Officers, Boards, IT Directors, Company Secretaries, Operations Officers, business executives… the list goes on. Perhaps the range of roles shows just how pervasive the topic of cyber security has become.

One challenge I get levelled at me is whether I am worrying people unnecessarily talking about the threat and impact of a security incident or breach. When I hear the response “it won’t happen to us…” it’s usually followed by one of the following:

“We are… (delete as appropriate) too small/don’t have anything of value/are not that interesting to any hackers/are not a bank/don’t hold lots of cash/don’t have an online business/are smaller than our competitors.”

So let’s for a moment think optimistically. Let’s think positively that cyber security does not apply to you. You must work in an organisation that sounds a bit like the following:

No people. The vast majority of incidents involve people – such as clicking links in emails, not following good practice, loss or theft of information accidentally or maliciously. Your organisation is unusual, but that’s a great start in reducing your risk.

No technology, certainly not connected to the internet. This must also be true. As soon as you join any IT asset to the internet, your security risk increases. So again, you are in an unusual organisation, but you should rightly be feeling more optimistic. That must mean you don’t use email either! Have you sold this as a selling point in your recruitment process?

No changes to your IT systems. So you might concede there is some limited technology, but it’s all completely separate from the internet as we found out in the previous point. But as soon as your technology changes – no matter how much testing is carried out – you have changed interdependencies between technology components, and so your risk changes also. But in this organisation, no change means risk is reduced.*

* There is one tricky side to this. Someone outside your organisation can find a problem with the technology you use meaning you wake up one morning, having made no change, and your estate is insecure. But you have ruled out any connection to the internet, so that’s a reason to be optimistic.

You do not hold anything of any value. That’s a great help in reducing your worry levels. But most organisations must do “something”, or they wouldn’t exist. If an entity exists, someone, somewhere will be interested in what it does. Size or location is no strict guide of interest levels. You can’t second guess what others are thinking. If you don’t hold anything of value, you have no commercial information, no intellectual property, no customers, no product designs, and no third party contracts to take some examples. Not sure working here would be very interesting, but at least there is a reduced impact of any loss.

So…. we all know none of the above can be true.

That’s why I ask people I meet about their understanding, readiness, and ability to react should a security breach or incident occur. I also ask how you know for certain that a breach isn’t occurring right now within your organisation…

And I can ask questions on awareness based on facts. PwC works with the Department for Business, Innovation and Skills (BIS) to survey companies across the UK on cyber security incidents and emerging trends.

The key observations from the 2015 survey were:

  • The number of security breaches has increased, the scale and cost has nearly doubled. 11% of respondents changed the nature of their business as a result of their worst breach.
  • Nearly 9 out of 10 large organisations surveyed now suffer some form of security breach – suggesting that these incidents are now a near certainty. Businesses should ensure they are managing the risk accordingly.
  • Despite an increase in staff-awareness training, people are as likely to cause a breach as viruses and other types of malicious software.

You can read more about the other facts and figures here.

For the record, I am a very optimistic person by nature. But having worked in an industry role where I was accountable for running a security organisation, I am also aware of the very real risks and threats every organisation faces.

Now you will be ready for all my questions should we meet!