People come before computers in cybersecurity

Davos attendees compare firewall software. World Economic Forum

As business leaders and politicians gather in Davos to discuss how to reshape the world, one of the topics on their agenda will be cyber-resilience, which is all about preparing organisations and individuals to cope with the threats faced in cyberspace.

This is a subject of great concern at the moment, since we have cyber-threats, cyber-crime, cyber-warfare, and goodness knows what cyber else to contend with. Cyberspace, wherever that is, seems to be a very dangerous place.

It is certainly not my intention to reassure you that cyberspace is safe and only the paranoid think otherwise, but I do feel that the prefix “cyber” is unhelpfully suggestive of an unknowable “other” realm, where unseen and unimaginable dangers await us.

If I may, let me take the opportunity to provide the great and good of Davos with one piece of advice about cyber resilience before they commence their deliberations. This advice also applies to you, so pay attention:

Look around you. You’re already in cyberspace.

What I mean is that we should all take some time to stand back and take stock of how the world works these days. What is it that we do? What things do we use? To whom and what do we communicate, and how?

It won’t be a shock to anyone to discover that much of what we do occurs in “cyberspace”. What might be surprising is how much. It has been said that in the year 2000, about 25% of all the data in the world was in digital form. In the year 2014 that figure is now 99% and counting. Cyberspace is not another realm, it is precisely where we now spend much of our lives.

Threat to cyber-threat

Most of the risks we face in cyberspace are, broadly speaking, the risks we have always faced in the world. It’s just that we are now in cyberspace and so the dangers have simply followed us there. There are the risks of accidents, mistakes and losing things. There is criminality such as theft, fraud, vandalism and harassment. There is spying and even warfare. The cyber-threat is largely composed of concepts that we are already well familiar with.

Of course there are differences between risks in cyberspace and those in the physical world. For one thing, unlike a physical object, data can be stolen without us noticing. A nuclear power station control room could, in theory, get connected to the internet. A simple press of a button can delete thousands of filing cabinets worth of information. And “big data” provides many new potential threats to our personal privacy.

But, at their heart, most cyber-risks relate to issues that we have long been familiar with and it should thus be well within our capabilities to manage them, and to counter them.

Fortunately there is a lot of good advice out there about how to become more cyber-resilient. The problem is that we humans are not wired to instinctively follow that advice. Most of us know to lock our front doors when we leave the house and are cautious about encounters with strangers. Organisations tend to be good at implementing access control procedures at the entrances to their buildings and have rigorous procedures for controlling physical assets. After all, we once walked in the savannahs of Africa among lions and it was there that we learned how to look over our shoulders and sprint for a tree.

Cyberspace, however, is all too new and intangible for most of us to intuitively grasp the dangers. We take gambles by clicking on interesting (but untrusted) web links, we write sensitive emails and then send them over unprotected network links, we put the entire contents of our computers onto tiny portable devices and slip them in our back pockets. We behave recklessly in cyberspace because we don’t stop to think about what we are really doing. We don’t look in the mirror enough.

Cyber-resilience to resilience

For the business leaders in Davos I have a concrete suggestion about cyber-resilience. Given that cyberspace is where we now do most of our business, please stop thinking about cyber-resilience as a problem of information technology. It is not a computer problem, it is a people problem. Cyber-resilience is a subject to be addressed in the very highest boardroom, not the IT department. Smart organisations already know this.

My best guess is that in ten years’ time we will not be talking about “cyber-resilience” at all – we’ll just talk about “resilience”. We need to start thinking that way today.