Last month my car was stolen and I have, out of necessity, been talking far too much to my insurance company, its agents, a recovery company, the Met, an unidentifiable intermediary of some kind and now a repair yard. Each has sent me numerous communications – some by post, some by email, one by Dropbox and, if I remember correctly, one by WhatsApp. And each, without fail, has included some sort of message to say that my data is critically important to them and the risk of cybercrime (which is consistently and erroneously written as one word) is dangerous and increasing, alongside warm words to reassure me that these organisations are protected to the fullest extent possible.
To be frank, I just don’t believe them. I accept that the (multinational) insurer itself may well be – leaving aside whatever they think they mean by “to the fullest extent possible”. But the further we move down the stack of companies involved, not so much. The agents maybe, the recovery company I very much doubt it, and the bodyshop – which is independent and not a large chain or affiliated in any way – I am going to say not at all. This isn’t actually a criticism; in their position, I certainly wouldn’t be either, on the maxim that security as risk management takes account of the specific threat and cost-risk analysis. But every cloud and all that, and the pointless loss of my car did set me thinking.
Are they being deliberately dishonest? I don’t believe that to be the case, no. Even in our increasingly cynical and laissez faire world, few people or companies actively and actually lie. I suspect, instead, it is simply a combination of two things; a very rudimentary understanding of cyber security at all levels in these companies, and yet a recognition that having security controls (in the loosest sense) in place is nonetheless important and helps in achieving new business. It is, in other words, perceived as a possible differentiator.
I pondered these scenarios some more and then I did the obvious thing – I called one of the companies I’ve been dealing with, and asked for more information about their cyber security. And no, I won’t tell you which one and nor can anyone divine from the following which it might be; I have obfuscated (but it wasn’t the Met).
The person on reception couldn’t answer my questions and did not know who might be able to. I was passed around a little and then directed, I thought a little cautiously, to a member of senior management. Our conversation was interesting, amicable and ultimately revealing. The company runs its own IT, through an IT manager. She was unavailable, being distracted and out of head office overseeing the transition to some new software package or other (my contact wasn’t sure of the details). But, I was reassured that she was indeed an expert in cyber security and took the issue very seriously. Indeed, the company held her responsible for everything in that area and deferred to her at every turn. I asked how her security progress was measured, and in any meaningful sense it doesn’t seem to be; she knows her reporting thresholds, I was told, and my contact was confident she would speak up if necessary (which it hadn’t been so far). I asked about the security controls in place; there was AV (definitely, although my contact wasn’t sure which one), and they thought something else to protect their emails. I asked about risk, strategy, BCP, and more but quickly realised I was just a voice in the wilderness; my contact, a C level professional, didn’t really know what I was talking about or what my questions really meant.
So much for “to the fullest extent possible”. But clearly the firm have thought about the cyber threat and go as far as mentioning it in all of their client communications. And for the reasons I have given above – that most people are honest – then the company is presumably satisfied it is doing what it should. I can’t realistically challenge that based on my short conversation, but I can make some broad assumptions and judgements; in short, I do not believe they are doing enough.
It is interesting nonetheless that the marketing angles of cyber security are understood and that investment has been made in that area. When it comes to selling, cyber security is understood to be necessary – yet it seems the same cannot be said about security in practice. I think it was Brian Redhead who remarked that if the opposite of what you are saying makes no sense then don’t say it. He was talking about politicians, but it works here too.
That said we have recently been engaged with a client primarily for marketing purposes and through its marketing budget – though we are, importantly, providing the services they need in order to stand up their marketing claims. I suspect they will not be the last; indeed, as foreseen by the high street banks, offering a secure service (in whatever area) has to be more appealing to clients than the opposite. If marketing takes us out of the tactical and into the strategic, and takes us into the senior leadership of a company because it speaks to its bottom line, then all power to the marketeers. My brief and entirely anecdotal experience suggest that it hasn’t. Yet?