Hooded criminal masterminds hunched over their laptops in dark, underground lairs. That’s the image that springs to mind when we think about hackers. Even their titles emphasise their Bond-villain credentials; malicious actors, cybercriminals, hackers, threat actors. No other type of criminal has such a body of language to describe their activity. Is any of this justified? Are cybercriminals a breed of their own? Is ransomware the greatest threat to our society? How has this language of conflict and fear come to dominate cybersecurity discussions? And what should communications and marketing teams within security organisations do to dial down the DEFCON.
What’s cybercrime really like?
"With ransomware-as-a-service organisations running multiple campaigns at once and even having their own social media accounts, we should really be thinking of cybercriminal groups running like any other enterprise"
Kicking things off, is our stereotypical view of hacking accurate? Well, not quite. I’m sure there are some exceptions and outliers, but we can largely debunk the idea of the lone wolf, single-handedly bringing down governments and big corporations. Large-scale attacks require a large number of coders. Some estimates suggest more than 1,000 people made up the team responsible for the SolarWinds attack.
With ‘ransomware-as-a-service’ organisations running multiple campaigns at once and even having their own social media accounts, we should really be thinking of cybercriminal groups running like any other enterprise. For all we know, some of the bigger groups could have HR departments, canteens and staff Christmas parties.
So ransomware is nothing to be worried about, right? Wrong. Something like 90% of UK businesses have experienced a data breach of some kind, and roughly half of UK organisations have been targeted by ransomware specifically. So it’s definitely a challenge that all businesses need to address.
Businesses face all kinds of challenges every day: like competing, growing, managing supply chains, reducing carbon footprints, figuring out what the ‘future of work’ looks like, recruiting and retaining the best talent. All these challenges have been rationalised and normalised. Only the challenge of cyber security has been made, and remains, extraordinary. That’s starting to look like not such a great idea.
‘Hackuracy’ or hyperbole?
So how has this come about? Well, partly thanks to the media. Hackers feature in an ever increasingly large number of films and it just isn’t cinematic to have hackers filling in annual leave request forms or queueing for the vending machines. But the cybersecurity industry has contributed too. So much of our brand identities, product names and marketing copy is taken from the lexicon of war or conflict. We’ve contributed to the mythologising of cybercrime in the way we’ve structured and talked about our defences, and it contrasts sharply with the much cooler headed approach we take to other kinds of crime and other sorts of business issues.
"If you want to try out disruption and reputational damage, try not paying your staff for a month. But HR departments don't have 'Payroll Command' do they."
If you want to see disruption and reputational damage in action, try not paying your staff for a month. To ensure that doesn’t happen we have payroll systems, and payroll managers. What we don’t have is ‘Payroll Command’. Contrast that to the cyber world and the ‘Security Operations Centre’. See where we’re headed?
Cyber breaches are disruptive, costly in terms of business function and reputation, and real people get hurt – for example when sensitive data is stolen. The same is true of fires, industrial action, trade disputes, unintended friction in transport links and border crossings and – of course – pandemics. And just like those, there are well thought out business strategies to mitigate the worst effects of cyber crime and technology plays its part in these. The trajectory of cyber security has to be as a business process, like any other. Maybe security teams have been too distant from the rest of their business, for too long? Too focused on their mission to bring down criminals, creating a potentially adversarial environment that we sometimes see today.
Us vs them
The ‘us-and-them’ mentality, which can prevail in some SOC teams, creates an imbalance in trust. The ultimate expression of this might be the security industry’s concept of a zero-trust architecture. We can get behind many of the design principles here. But we have to be clear: what or who – exactly – is undeserving of trust? Because it can’t be our colleagues and our employees. That implies an assumption of incompetence, of guilt until proven innocent. And that’s not how our businesses ( or our democracies ) work.
"Isn’t it time we stopped treating our employees as the last line of defence, more as the first line of defiance?"
While it’s true that for the cybercriminals the end user is potentially the easiest point of access, it’s time the cybersecurity industry stopped treating employees as the last line of defence, and more like the first line of defiance. In every other workflow and process in business, trust means everything. How would remote working flourish without trust? How do collaborations and creative endeavours succeed, without trust?
Some parts of the cyber industry are already working towards infrastructures and processes that engender and evidence trust. People need to be able to trust the systems and networks, the devices and apps, that make us productive, collaborative and creative. The whole industry would do better to develop a new language around collaboration and trust, or risk alienating all of its most important allies – like you and I – in the very important effort to minimise the frequency and impact of cyber crime.
Why have we relied on selling by fear? Well, to an extent, it works. We’ve written about the psychology of ‘bad news’, and the positive and negative impact of statistics in storytelling in a bit of detail. According to research by Forrester quoted in Forbes, cybersecurity spending is set to more than double from 2018 to 2023, rising to more than $12billion. After all, the threat is legitimate. There is a constant stream of high profile organisations hitting the headlines because they have been the latest victim – Colonial Pipeline being the latest, and certainly not the last.
But there seems something so topsy-turvy about the way in which fear-based selling has come to be the norm. We’re living in a world where hackers exploiting confidence – they’re literally ‘confidence tricksters’ – whilst the good guys, those trying to keep us and our data safe, are peddling fear.
Fear is a really unpleasant emotion, for a good reason. It provokes an unthinking impetus to act: fight, freeze or flight. Most of us will walk the long way home, or spend good money, so that we don’t have to face it. Problem is, fear closes off our access to our thinking brains. So if we’re looking to recruit an army of intelligent, aware, thinking volunteers to help fend off the cyber threat – that is, our employees – fear becomes a liability.
"If fear is such a successful strategy, ask yourself why we're in the midst of a ransomware pandemic."
What can we do differently? The cybersecurity industry needs to continue to innovate if any of this is going to work. But beyond that, we need to stop the blame culture: unlike the train company that hoaxed it’s own staff with a bonus that turned out to be a security test. We need to sell hope and trust, not fear.
How can I change?
Organisations need to think about normalising cyber security as a business practice, putting it front of mind for all users without exploiting their fears. Think about the concepts that have been adopted by businesses most successfully lately – things like diversity or sustainability. These principles weren’t dictated from the top. We don’t find Equality and Diversity teams hoaxing staff into learning about inclusion. In those companies where diversity has been most impactful, it has grown from the grass roots. Employees have been engaged from the get go and created meaningful and purposeful change. Cybersecurity could learn a lot from this approach.
Sell on confidence. Yes, we need to educate users and organisations about the risks of cybersecurity – cybercrime, and ransomware in particular, is a big problem and it isn’t going away soon. But we need to promote a more positive conversation about cyber, help end users embrace it and engage with the discussion. Make open conversations the norm, and let people talk about their misgivings and their mistakes, which can make everyone safer
Let’s work together to dial down the hyperbolic language, the language of fear, the heroics, and start selling peace of mind.