Mary Galligan is a person that people tend to listen to. With a 25 year career as an FBI agent, it’s easy to understand why she commands a room, as she did during her visit to Australia in November. Now working as a cyber specialist with Deloitte, as Mary spoke to our clients, what really struck me was how the conversation around cyber is changing. Given the prevalence of digital in our businesses today, cyber can no longer be a reason not to do something. Instead it needs to be an enabler of progress and innovation. We need to move away from focusing our attention on cyber threat monitoring and defences and be asking ourselves, how can my cyber risk management work alongside innovation, product development and growth? We thought it would be useful to gather together ours and Mary’s experience of some of the most frequent misconceptions that we hear about cyber. Myth: Cyber is an issue for the IT department Fact: Cyber is not just an IT issue, it is an issue for the whole organisation and especially for leaders. They need to genuinely know what it is they are trying to protect. Business heads must accept it as inevitable that a cyber incident will happen, whether it’s an incident, breach, or technology issue. Executives need to see the risks and be clear on how poised their organisation is to respond. This cannot be done well unless you understand what you have in your cyber risk portfolio – who your third party vendors are, what is important to the organisation and where is it located? Once you know you can’t lock down everything, the most important thing for organisations is to be cyber intelligent – in other words – genuinely know what it is they are trying to protect. People love to say, ‘All of my data is important’. No, it’s not. If you only were able to protect one piece of information, what would it be? That’s a risk assessment. Mary noted cyber risk is just like any other enterprise risk the business might have to deal with. It is, and should be treated as a real business issue not just one dealt by the the technical teams in IT or Security. She stated organisations think about cyber as a ‘risk event’ instead of cyber as a ‘cause’ of many other real business issues that we are already familiar with. Mary distilled five risks events we can speak to in real business language: Data theft – identifying what is most valuable. Not just to you but anyone that might be able to get their hands on your information Operational disruption – brining your business to a halt through a technical issue or ransomware Business destruction – destroying infrastructure, applications and your organisation ability to function Data corruption/manipulation – consider those that might benefit from altering or manipulating your organisations records. Extortion – the fifth risk is extortion which could involve any of the above Myth: Cyber is something I need to consider at the end of my project Fact: Organisations need to have a culture (that leaders instil) where a cyber risk professional is involved on projects from the very start, they are part of the conversation and the journey all the way through. The most successful organisations will do this. Mary’s direct words were ‘If there is anything you can do as a business when developing a new product, service or innovation – it is to put the cyber risk professional in that group from the beginning – if there’s one thing you can do, do this. That is where you’ll see the most profitable and innovative companies go, having cyber as just part of their conversation from the start, they will flourish.’ Myth: Most cyber-attacks are by external factors Fact: Often your employees, or ’people error’ is the most common causes of cyber breaches There are three types of ‘insider threats’ (employees that cause an incident) that need to be considered and managed effectively: Ignorant employees- education is paramount for all employees to understand how their online activities can impact business Complacent employees bypassing policy and controls- systems and processes must be designed so controls are automated and cannot be ignored Malicious employees- organisations need to continually monitor employee’s online behaviours. Consider how your organisation can segment the user base and drive change in a much more targeted way. But remember, you have to trust your people every day. Teach all your employees that cyber security starts with the keyboard – we all play a role. Educate your technology people and set their expectations of what’s important to the organisation. Help people to have basic conversations around cyber risk, especially those who don’t feel equipped because they don’t have a tech background. Everyone needs some level of understanding. Myth: Cyber protection is too expensive – the risks are low and it’s just not something we can afford right now Fact: Almost 85% of all cyber incidents are caused by basic hygiene issues. Don’t underestimate your ‘mundane’ controls. Organisations have to have good hygiene, because most breaches often take advantage of weaknesses that already exist. Having the same simple passwords has been the cause for some of the largest breaches. Executives need to understand the very basic questions of who their third parties are, what information do they have access to coming from my company and what information am I giving them? And a lot of cyber awareness starts with empowering everyone in your organisation to be cyber secure – and you can’t buy a change in culture!