With the breadth of news coverage around blockchain, hacking scandals, and data integrity, an average person polled on the street is likely to have at least a basic sense of cybersecurity, as a concept if not by name.
The idea of cybersecurity is omnipresent; we know it exists, and we know it matters. A more concrete definition, however, has proved elusive. Professionals and academics alike have tried to narrow it down, but there remains no definitive, universally-accepted scope of cybersecurity.
With so many definitions available, and none in precise agreement with one another, determining a way forward to cover their organisation against the spectre of cybersecurity can feel like a minefield for key decision-makers.
Understanding the deeper implications of cybersecurity and how to protect users from cybercrime has become unclear. Academic literature mandates that the term ‘cyber attack’ be used when the effects of the cybercrime are so severe that it requires state intervention due to its widespread, destructive nature.1
Cybercrime may be defined as a “malicious attack to software, computers and networks”.2 In an attempt to simplify this rather complex issue, think about it in terms of being comparable to how a kidnapping is planned.
In a lecture series held at MIT CSAIL, Harold Moss, a Senior Director of Strategy and Business Development from Akamai, states that hackers are no different to kidnappers – they watch where people go, identify where they’re going to be vulnerable, and then attack.3
Cybersecurity is therefore not merely a technology risk, but a broader business risk. Protecting the business must be seen not as an issue for the IT department but as a team-wide responsibility concerning all stakeholders.
Three sample definitions of Cybersecurity
1. Cybersecurity and Information Security
This approach debates the relationship between cybersecurity and information security – and begs the question whether they subsets of one another, or are indeed the same thing.
Broadly defined, information security is classified as the protection of information and information systems from unauthorised access, while cybersecurity is the ability to defend the use of cyberspace from cybercrimes.5
Information security is a concept more broadly understood; it’s been around for decades. The new question is this: whether cybersecurity is an aspect of information security related to private information stored in cyberspace, or whether cybersecurity has subsumed information security altogether.6
A more likely outcome is to consider information security and cybersecurity to be both interdependent and mutually exclusive.7 While they are different disciplines requiring different strategies to maintain security, there is enough overlap that they will always need to be considered in tandem through an integrated approach.8
2. A Human and a Computer
Fredrick Chang, former Director of Research at the US National Security Agency, outlines this definition of cybersecurity and the need for an interdisciplinary solution, “Humans must defend machines that are attacked by other humans using machines. So, in addition to the critical traditional fields of computer science, electrical engineering, and mathematics, perspectives from other fields are needed.”9
The cyber hacker trades in digital heists such as “espionage, disinformation, market manipulation and disruption of infrastructure, on top of previous threats such as data theft, extortion and vandalism”.10 To defeat a human threat, cybersecurity strategies need to be as intelligent, dynamic, and creative as their opponent. This requires holistic solutions across interconnected systems, and drawing on insights from experts across a broad network of disciplines.
3. Cyberspace Confidentiality
In a cybersecurity study conducted in 2017 for the Journal of Digital Forensics, Security and Law, researchers reviewed a number of stakeholder issues and came up with this definition of cybersecurity:11
“The approach and actions associated with security risk management processes followed by organisations and states to protect confidentiality, integrity and availability of data and assets used in cyberspace. The concept includes guidelines, policies and collections of safeguards, technologies, tools and training to provide the best protection for the state of the cyber environment and its users”.12
By this definition, cybersecurity can broadly be considered the sum total of all strategies and systems required to defend the integrity of all confidential information held by a given institution.
Risk to businesses
Due to digitisation, companies need to recognise the three types of interrelated cybersecurity risks that could potentially occur:
Businesses need to approach cybercrime with a broad perspective to ensure the digital safety of their data and systems. In the business sector, there are “hundreds of millions of pounds lost to fraud, large commercial transactions derailed, customer-impacting disruptions to business operations, and significant brand value and consumer confidence diluted.”13
Advances in technology are enabling more sophisticated threats against companies.14 Security for devices connected to the internet requires large-scale reasoning and solutions. This includes cell phones, tablets, technological accessories like headphones and fitness monitors. Cybersecurity needs to encompass all business processes and functions to be effective.
Cybersecurity is rather the prioritisation of high risks to low risks. Low-level risks constitute “acceptable loss” outcomes. The Digital Age presents many positive and negative outcomes for businesses, and this is why risk mitigation has become essential for cyber-resiliency strategies.15
Mapping the way forward
As businesses venture further into the digital world to maintain relevance, they expose themselves to an ever-increasing number of cyber threats. A holistic plan for cybersecurity management is essential, thus four structural hurdles have been proposed for companies to address cybersecurity holistically:17
- Certain levels of Cybersecurity risk are inevitable
- Implications of Cybersecurity are pervasive, spreading into every aspect of the business
- Cybersecurity risk is difficult to quantify
- It’s difficult to change user behaviour
Moving away from viewing cybersecurity as a technology risk and recognising it as a business risk doesn’t have to be an insurmountable task. Cybersecurity is a team sport, not a job description, and a comprehensive cybersecurity strategy will touch every aspect of an organisation, including IT, employee training, and security policies.18
Changing user behaviours
Companies must realise that users need to change their behaviours for the security processes to work effectively. Users can unintentionally cause malware attacks by clicking on sabotaged links, or downloading viruses on computers, laptops, or cellphones.19
For now, there is no concrete solution to this problem. Staff behaviour may be guided by having educational campaigns that show them best practices for online security, but ultimately, companies will incur some risk. It’s inevitable that cyber risks will occur, as even innocuous emails can increase the odds of a security breach. Mitigating against these incidents will decrease the chances of security breaches in a company’s cyberspace. This requires engagement and commitment from all levels of the company, from communication to active participation, in low-risk behaviours online.20
A case study in cybersecurity agility
Telstra is an industry beacon in cybersecurity innovation. One of Australia’s leading telecommunications and technology companies, Telstra was nominated in 2017 for the Cybersecurity Project of the Year. They developed a cybersecurity guide to success, titled Telstra’s Five Knows of Cyber Security, briefly described below:22
1. Know the value of your data: Understand the true value of your data – not only for your company, but for those who want to steal it. Recognise how your data could be leveraged for financial or intrinsic gain.
2. Know who has access to your data: Both internally and externally, and who has administrative rights.
3. Know where your data is: Be aware of where are you storing your proprietary data. Whether it’s stored locally, or on the cloud, you need to be aware of how it’s maintained, and whether you can trust service providers to protect your data from third parties. Ensure any third-party providers tasked with storing your data are thoroughly vetted.
4. Know who is protecting your data: You need to have a comprehensive understanding of what processes those tasked with protecting your assets follow, and how easily you can reach them when a breach occurs. Companies are advised to consider hiring a trained, in-house security expert for this purpose.
5. Know how well your data is protected: Be aware of what systems and processes are employed to protect your data, and whether the security measures are adequate and updated regularly to combat new threats.
However you understand cybersecurity today, an awareness of how your system works and where vulnerabilities might occur is an essential step in developing a strategy to protect your organisation against cyberattacks. With the sophistication of cyber threats that exist against businesses today, cybersecurity ought to be a top priority for any organisation or business with sensitive, private, or otherwise classified information.
- 1 Satter, R. (Mar, 2017). ‘What makes a cyberattack? Experts lobby to restrict them’. Retrieved from Ap News.
- 2 Craigen, D., Daikun-Thibault, N., Purse, R. (Oct, 2014). ‘Defining Cybersecurity’. Retrieved from Technology Innovation Management Review.
- 3 Moss, H. (May, 2018). ‘Cybersecurity & AI: A venture into reality’. Retrieved from MIT CSAIL.
- 4 Campbell, N. (Oct, 2017). ‘Cybersecurity is a business risk, not just an IT problem’. Retrieved from https://www.forbes.com/sites/edelmantechnology/2017/10/11/cyber-security-is-a-business-risk-not-just-an-it-problem/#1db375ce7832
- 5 Salvi, V. (Jan, 2015). ‘The debate on defining cybersecurity’. Retrieved from Bank Info Security.
- 6 Chernobai, I. (Apr, 2018). ‘Cybersecurity vs. Information security’. Retrieved from Protectimus.
- 7 Chernobai, I. (Apr, 2018). ‘Cybersecurity vs. Information security’. Retrieved from Protectimus.
- 8 Chernobai, I. (Apr, 2018). ‘Cybersecurity vs. Information security’. Retrieved from Protectimus.
- 9 Craigen, D., Daikun-Thibault, N., Purse, R. (Oct, 2014). ‘Defining Cybersecurity’. Retrieved from Protectimus.
- 10 Campbell, N. (Oct, 2017). ‘Cybersecurity is a business risk, not just an IT problem’. Retrieved from Forbes
- 11 Schatz, D., Bashroush, R., Wall, J. (Jun, 2017). ‘Towards a more representative definition of cybersecurity’. Retrieved from Journal of Digital Forensics, Security and Law.
- 12 Schatz, D., Bashroush, R., Wall, J. (Jun, 2017). ‘Towards a more representative definition of cybersecurity’. Retrieved from Journal of Digital Forensics, Security and Law.
- 13 Mehta, O. (Jan, 2017). ‘Cybersecurity vs. Cyber security: Don’t leave a gap in your security’. Retrieved from LinkedIn.
- 14 Fimin, M. (Nov, 2017). ‘Five biggest security technology trends for 2018’. Retrieved from IT Proportal.
- 15 Parisi, R. (Oct, 2018). ‘Why cybersecurity insurance is essential to your risk management strategy’. Retrieved from Security Roundtable.
- 16 Bradford, L. (Mar, 2018). ‘What you need to know about cybersecurity in 2018’. Retrieved from Forbes.
- 17 Bailey, T., Kaplan, J., Rezek, C. (Jun, 2014). ‘Why senior leaders are the front line against cyber attack’. Retrieved from Mckinsey & Company.
- 18 Schacklett, M. (Apr, 2018). ‘10 ways to develop cybersecurity policies and best practices’. Retrieved fromZDnet.
- 19 Bradford, L. (Mar, 2018). ‘What you need to know about cybersecurity in 2018’. Retrieved from Forbes.
- 20 Chen, B. (Aug, 2018). ‘Fostering a culture of cybersecurity’. Retrieved from Forbes.
- 21 Telstra Security Operation Team. (2017). Retrieved from Cybersecurity Excellence Awards.
- 22 Telstra Security Operation Team. (2017). Retrieved from Cybersecurity Excellence Awards.