Thank you to Louisa Vogelenzang , the cofounder of The Cybersecurity Café podcast for permitting me to reproduce an edited version of her original article on managing online risk.
Whether you are an individual or a small
business, I want to show you that you already have solid foundations you can
build on, to help you to confidently manage your risks in the online world.
Why? because you already practice those skills on daily basis as a part of the
way you secure your physical world.
Let's start with a small exercise and I will
show you how.....
In your head, make a quick list of all the
valuable items you have at your property or business....
I am guessing that your list was fairly easy
to come up with and that it includes mostly physical items - your loved ones,
family photos, perhaps some jewellery, the family car, a shed full of tools,
art you have collected, your personal laptop, smartphones, gaming consoles,
perhaps your vintage record collection, passports or maybe an inherited family
heirloom. If you are a small business maybe your list included your staff, your
precious stock, your current cash takings as well as a view of some of the
items that are less easy to quantify like the trust your customers place in you
or the 'experience' of being in your store.
The important thing is, you
are able to identify the items of value to yourself and/or your business.
I bet you also know
the value of many of these items in
total and individually, you can visualise where they are kept, and you know what steps you have
taken to protect them. You have probably before now,
also thought about the impact it would have on you if these items were stolen -
some items are replaceable, some are not. You may have also insured your items
for a total figure and have also named specific high value items on your
policy, to ensure you have the ability to replace them in the event that they
are stolen or destroyed.
Here are some of the items from my list I
thought I would share, including their value to me and what steps I've taken to
protect them:
·
My family Invaluable
and (overly) protected at all times, I wish they never had to leave my side but
when they do, I am verifying their safety as often as they can tolerate (mostly
via SMS or in the case of my dog via my pet cam!).
·
My wedding and engagement rings. High
sentimental value and to protect these, I never take them off. This is probably
because my Mum lost her original engagement ring down the kitchen sink when she
took it off one day and I am also quite clumsy, so would probably end up doing
something similar!
·
An inherited item of family jewellery. High
value both sentimental and monetary - this is kept in a safety deposit box
offsite (I can't trust myself not to loose it).
·
The family car. Medium
value - it's insured and in the garage protected by key fob entry that only
those who live in the block have access to as well as an electronic key
individual to the car, immobiliser and car alarm. I am aware there are certain
circumstances where my insurer won't cover me and we've made a note of those
(for example I can't allow my Dad to drive the car if he visits from the UK
unless I pay extra and add him to the insurance during that time).
·
All the other items of value
in my apartment are secured as you might expect by a combination of key fob
entry to the apartment block where a video entry also controls who can enter
the apartment block without a key (they must be authorised to do by a tenant
who authenticates them by sight over video). A front door key unique to my
apartment that only I, my husband and a trusted friend have a copy of and
window locks.
Having a look around my local neighbourhood at
the small businesses in the area here are some examples of the physical
security measures they take:
·
My local coffee shop locks their outdoor
tables and chairs away at night inside their building to reduce the risk of
them being stolen
·
The local supermarket franchise uses CCTV
inside and out and a security guard on the door, presumably to help them to
manage shoplifters during opening hours and the risk of store break-in over
night as they have high value items like liquor and cigarettes on the premises.
As well as knowing what your valuables are,
their value, where they are kept and how you are protecting them, you probably
also know what to do when things go wrong - who to call and what process you will follow in
the event of an incident. For
example if you come home and find your tool shed has been broken into you will
probably check what is missing, call your loved one(s) to let them know, try
not to touch anything to preserve any forensic evidence, call the police and
report it and then once you have a crime number from the police, call the
insurer (if you have insured this item). The police may also physically attend
the incident to take photos or try to capture some forensics and provide advice
on how to reduce the risk of this kind of incident in the future. Your insurer
may also send an assessor onsite
You also will likely know
how you will recover from a security incident for example if your car is stolen, recovery
might mean taking public transport until you can arrange a hire car via your
insurer (if they offer one), then once the insurance claim has been processed,
you will need to go out and buy a new car. If your mobile phone is stolen you
might (if you have been taking back ups of the phone) be able to recover fairly
quickly and easily - perhaps you have a spare phone and can be up and running
in no time, using the back ups.
You
are also able to adapt to new threats - perhaps you have a neighbour who had their car stolen from
their drive whilst they were unloading their car (here in Australia car theft
is still fairly common with latest statistics confirming there is one car stolen every 10 minutes). You learn from the police that thieves are
targeting the area in this way at the moment, previously you were not aware of
this threat and now you are worried about your family being vulnerable as they
often leave the car running in the drive. As a result you take some steps to
reduce your risk and improve your overall resilience with new processes that
your household agrees on (not leaving the car engine running with the keys in
the car on the drive) and you also decide to install some new tools/technology
settling on some CCTV outside of your garage.
It is important to also note that our risk
appetite (how much risk a person is willing to accept) varies from person to
person and business to business - this can be down to our knowledge/awareness
of a threat, whether we believe we are vulnerable, the potential impact to us personally
(often in $$) of a particular risk being realised, our available budgets to
reduce a risk and our even our previous experience.
Here is an example of how our physical
security risk appetite can vary between humans...
Jenny, Chris and Jim go to the same swimming
pool around the same time each week for the adult lane swimming on a Tuesday
evening. They don't know each other and they all have a different perceptions
of the physical environment around them. As a result;
·
Jenny aims to lock her wallet and smart phone in the lockers
available which costs her $2 each time, except for every now and again when she
doesn't have the right change and can't be bothered to go back out to the front
desk again. On these occasions, Jenny leaves her bag at the side of the pool as
everyone at the pool seems nice enough.
·
Chris doesn't want to pay the extra $2 for the locker (he's trying
to save for his first motorbike) and decides to take the risk of leaving his
bag at the side of the pool, but looks over to his bag every now and again to
check nobody is looking suspicious around it.
·
Jim had his wallet and phone stolen at the same swimming pool last
year and spent many hours cancelling and getting replacement cards and getting
his phone set up again (he hadn't backed up his phone and his insurer wouldn't
cover him for this item outside of his house). He also lost $200 in cash that
was in his wallet in addition to the cost of the new phone. He never forgets
the $2 locker money and considers this a worthwhile investment at $104 per
year.
As well as these 'self-managed' physical risks
that we manage on a daily basis, sometimes governments mandate laws to help
enforce the reduction of a particular physical risk - for example the use of
seatbelts in cars and strict blood alcohol levels for drivers to help reduce
the risk of traffic accidents. Manufacturers can also sometimes build security
features into their devices for example in the case of cars, alarms and
immobilisers are now fitted as standard although maturity varies greatly across
different manufacturing industries.
The truth is, a lot of this article probably
seems like common sense and is very familiar to you because physical risk is
often so much easier for us to understand. Unlike the virtual/online/digital
world, humans have been living in the physical world for several hundred
thousand years and we are for the most part, very familiar with making risk
based decisions within it.
I am hoping this story has helped you to
recognise that you should start with a position of confidence when it comes to
your ability to manage risk in general, because you do this every single day.
To recap these are some of the existing skills you likely already have, that
you can apply to your online/digital/virtual world;
1. Identifying what is valuable to you and/or
your business, where those valuables are kept, how well they are protected and
the potential impact if something happened to these valuable items
2. Being aware/staying up to date on threats
around you and whether you might be vulnerable to them
3. Knowing what to do in the event of an
incident
4. Knowing how you will recover from an
incident
5. Being ready to adapt to reduce your risk
And whilst there are some key differences
between the virtual world and the physical world, I will make sure we unpack
all of these in the weeks to come, so that you can learn how to adapt your
skills accordingly.