Did you know that the risks and threats in cyberspace are best combated through herd immunity, that your organization's ability in terms of resilience and continuity depends on you having basic cyber hygiene? Does your business understand the business benefit of cyber hygiene?
Modern cyber security is about risk management of cyber threats. Cyber security is not synonymous with IT security and/or information security. Cyber security is the collaboration of four areas: IT security, information security, laws and, above all, security culture. If you have good control over these areas, you have good cyber hygiene.
The goal of good cyber hygiene then becomes that the work with cyber security in your business aims to acquire an increased resilience linked to risks and threats in cyberspace. And the risks out there for businesses can be summed up in non-compliance, financial risks, operational and strategic risks. A lack of risk perspective also means that businesses only focus on external threats, risks and threats that come from outside the business and not from within. Insider threats cost businesses almost twice as much as, for example, ransomware.
Did you know that when we talk about cyber hygiene, it is not just the hygiene of your business that is meant. This includes those you do business with, to whom you deliver or who deliver to you and their suppliers. Cyber hygiene is therefore the collective digital cyber security capability, private sector as public sector. We must therefore collectively achieve a form of digital herd immunity linked to risks and threats in cyberspace. And in a reality where businesses have many times transferred the ownership of cyber security work to an external IT service provider, this cyber hygiene will never be achieved, let alone herd immunity. This is because cyber security is not an IT issue but a business issue. An IT provider can rarely deliver in all four areas of cyber security.
Take, for example, how we risk-managed the Corona pandemic. We did it with a mouth mask, keep your distance, wash your hands, stay home at the slightest symptom and vaccine. And the efficiency was that everyone did this. A service provider that delivers IT to you will only be able to give you a face shield, ask you to keep your distance or perhaps give you instructions on how to wash your hands. At most, they can deliver technical and limited organizational processes. Washing your hands, being aware of symptoms and taking vaccines is your business's responsibility, not theirs. The suppliers know this and disclaim through contracts that you do not follow best practice. The comprehensive organizational processes and the very culture of doing the right thing, that responsibility lies with your business and your employees. NIS2 demands responsibility and serious penalties for those who believe that only mouth protection and distance are enough. It requires that you take the vaccine, wash your hands and act in case of symptoms. Herd immunity, our resilience, rests on you and all of us shouldering that responsibility and making security every day.
Did you know that laws such as NIS2, DORA and others require that you work with risks in the supply chain, and work with them systematically? They demand this as the supply chain is the most overlooked risk among businesses today, more than two-thirds of all incidents can be traced to the supply chain. The threat also exists from outside through malicious links, viruses, load attacks and information impact. But the biggest threat is already on the inside because businesses are connected to each other like never before. Suppliers and their suppliers lack cyber security capabilities and thus have poor cyber hygiene. Hence the requirements in NIS2, DORA and other law rooms. And lawmakers know that herd immunity depends on systematic cybersecurity. How do you validate and prove this?
The business benefit of cyber hygiene is directly linked to trust in your brand, the resilience of your business. The reputation of the business is at stake. During the pandemic, you did not want to cooperate with individuals who did not wash their hands, did not take their vaccine, did not use a mouth guard, did not keep their distance or were aware of symptoms. Why should you or anyone else want to work with someone who does not take cyber security seriously and has a lack of cyber hygiene?
Security must be easy to get right, especially when the future demands systematization, documentation and being able to prove cyber hygiene. Cybersecurity is a race anyone can run. The motivation to get there runs through the business-driven risk perspective that good cyber hygiene testifies to a business that thrives and where cyber security is a DNA.