The first thing Brian draws to our attention is that technically Cybercrime doesn’t really mean anything.
As a word, it’s fresh from the late 1970’s, cybermen, cyberspace, cybersexcitement. By definition it is ‘something to do with computers, information technology, and virtual reality.’ That narrows it down to everything in 2016.
“Let’s treat ‘cybercrime’ as normal. It’s just bad people doing bad stuff, the same bad stuff as has been done for thousands of years.”
This ‘cyber opacity’, in the context of crime, equates to a fog of understanding that makes it difficult to do anything meaningful. “We, meaning businesses and organisations, need to treat ‘cybercrime’ as a normal risk.” One of the repeated points Brian makes is that cybercrime, (maybe we should call it something else) needs normalising. This means stripping away the mystique and techspeak and understanding it in a rational and ‘real world’ compatible way. The use of jargon, buzzwords, and media hype obfuscates and disguises what is actually a number of completely separate issues and risks.
Brian takes it back to basics. “So let’s treat ‘cybercrime’ as normal. It’s just bad people doing bad stuff, the same bad stuff as has been done for thousands of years. Breaking and entering. Theft. Vandalism. Espionage. Blackmail. Ransoms. Crimes as old as civilisation. The only new thing is the vehicle, the means, by which these nefarious activities are actioned.”
The game changers in cyber crimes are scale, speed, location, and traceability in relation to what the media casually calls attacks. A single bad operator can command an army of ten thousand computers against a company or organisation. Clearly the speed of events happen at the speed of digital transmission. A problem becomes an unmanageable cascade of bad news data in literally a second. Location of the attackers? Could be anywhere.
The challenges and complexities of information security make it especially important to use a normative approach in business. Even calling cybercrime by the more correct term of information security is helpful. Information is a thing, you know what information your company has, and where; what is important, and what is critical.
Let’s call it information security from now on. Brian uses real world analogies; how supermarkets protect tins of beans differently to bottles of spirits.
Imagine your house. You close the doors. You lock them. You keep windows closed. But someone can still pick a lock or kick down a door. So you look at what is valuable in the house, and you keep it out of view. What is really valuable, you keep in a safe. Then you look at what is critically valuable or sensitive, and perhaps keep that in a security deposit box in a bank.
You do what is reasonable to keep thieves out. But you acknowledge that thieves might still get in. If they really want to, they will. So you take reasonable precaution, have a contingency plan, and maybe an insurance policy. “There’s no point in having an intention of ‘make sure we never get hacked’. That’s not realistic.
It’s not about trying to become an impregnable fortress. It’s about being proportionate to the risk. Like any normal business risk.”
Back to business: How to normalise information security procedures? It comes down to understanding the specifics: Specific threats, specific sectors associated with those threats, then threats and risks specific to your organisation, and the specific departments, the specific IT hardware, and the specific individuals using it. You really only need to know and care about risks that are relevant to your company.
This is so obvious in the real world it’s normal thinking. And this is what we mean by normalisation of risk, threat, and response. Information has value. Some information has more value than other. Protect accordingly. Human error is always going to be the weakest point in the information protection process. Therefor the first and most important response is education, training, and understanding the realities of business in 2016. It’s no big deal. It’s just another normal day.
Brian Lord OBE
Prior to joining PGI, Brian was the Deputy Director of GCHQ for 21 years, wherein he was responsible for Classified Intelligence and Cyber Operations. During that period, Brian directed the growth and perpetual evolution of departmental capability against emerging threats. He planned and ran both defensive and active Cyber operations, applied through unparalleled experience of cyber threat, risks, opportunity, and effective mitigation strategies. He culminated his career at GCHQ as an eminent thought leader on the subject of cyber warfare and on the intent and motivations of cyber threat actors.
At the time of departure, Brian also had overall GCHQ Senior Civil Service responsibility for the development, capability building, and requirement setting for the active defense and offensive Cyber capability and chaired the relevant joint GCHQ-MoD Programme Board.
Additionally, Brian developed operational coherence across both foreign intelligence agencies for his areas of responsibility; his experience extends to both the design and participation in cross-government National Security exercises.
At PGI, Brian has designed and delivered the PGI Cyber approach to organisational transformation and skill development, whilst growing and maintaining relationships with government and industry professional bodies, as well as the relationship with Academia within the Cyber Academy. Brian currently personally oversees all capability delivery for foreign governmental clients. Brian is regularly enlisted by the BBC and other national media outlets as a specialist spokesman on Cyber matters.