Fact 1. Almost all businesses rely on computer technology and this reliance is increasing.
Fact 2. Last year around two thirds of British SMEs experienced a cyber attack.
Fact 3. Two thirds of SMEs don’t regard themselves at risk from cyber attacks
Why is there this big disconnect between the risks that SMEs (and in fact all organisations) face, and the way that risk is perceived? Perhaps it is something to do with the way the whole concept of cyber risk is “sold in”. So here are a few do’s and dont’s when trying to persuade senior colleagues (or clients) of the importance of cyber security.
Don’t use FUD (Fear, Uncertainty, and Doubt). Telling people that their world is about to end is likely to have one of two results: they may be so frightened that they avoid thinking about the problem at all; or they will get angry with the threat and turn that anger on you as the bearer of bad news. Either way you won’t get anywhere with them.
Do describe some of the some of the things that can go wrong, but explain that these risks can largely be managed and that there is no need to panic if they take the appropriate actions (which you can help them with). Emphasise that there are practical solutions within reach and that, while 100% security can never be attained, there is a lot that can be done to reduce risk to acceptable levels.
Don’t use the cost of cyber attacks as a motivator. For many companies the cost of the average attack is really quite small. The average cost of a major security breach at a large organisation is £1.4 million. Sounds a lot if you are a one-man plumbing band, and it might be a lot compared with your salary or your budget; but it’s nothing if you are a Board Director of a major retailer. (Note the FUD in the headline – what about the cost of minor security breaches, what about small organisations?)
Do talk about business problems and emphasise that the real damage is likely to be to reputation, staff motivation, compliance failure, and the leakage of strategic information. Oh, and it can cost you quite a bit too.
Don’t make it all sound difficult. If you start using jargon and describing complicated technology then all you will do is convince your colleagues that you should be talking to the IT department and not them.
Do explain that cyber security is a people problem not a technology problem. It can impact anywhere in an organisation and needs to be managed by the whole organisation and not just the IT department. After all most problems are caused by insiders – accidentally, because people trust too much, because security systems are not usable (and so don’t get used), or simply because people don’t understand the risks.
And finally make it personal. Explain how cyber unsafe behaviour can put their own possessions, and more importantly their own reputations at risks. If they appreciate that they need to act in a cyber safe manner, the chances are that they will accept that their organisation also needs to be cyber secure.