Cyber confidence doesn’t mean cyber secure
Technology supports secure human experiences. The human experience should always be the lead focus for the implementation of any new technology. If technology isn’t making improvements or protecting experiences then it becomes a road-block.
At Think|Stack, our slogan is People Before Tech. This mantra helps us communicate with non-tech people about technology. By reviewing a process or experience through the human lens first, then layering in the technology that supports that process or experience, we can empower everyone in the room to understand what is being designed and discussed.
Recently, our mantra extended beyond our clients into an industry-wide research project that we are conducting with Filene and credit unions nationwide. This research explores the emotional impact of technology, not just the tactical, using human analogies to describe environments and cybersecurity.
One particularly interesting finding to come out of this research project has been the confidence of credit union leaders in their cybersecurity programs. Overwhelmingly, 71% feel confident they are fully protected and 92% feel they were never breached. However, among non-credit union business leaders, just 16% feel prepared.
As a young man, I was a lifeguard and I spent most summers watching the waters of a quarry north of Baltimore. It was an open body of water, that was exceptionally deep, over 100 feet in some places, and while it was fun, it was also much riskier than a traditional swimming pool. There were no edges for tired swimmers to hang onto, just floating docks spread out around the lake. Some close, and some as far as 75M away from shore. And worst of all, dark, deep and cold water meant if you made a mistake, it could be fatal. To protect against that risk, we had everyone take a swim test.
The swim test was relatively simple – swim a lap up and back without stopping. Those who passed the test could be lumped into a few categories. There were excellent swimmers who proceeded to enjoy the lake without issue. There were the cautious swimmers, those who passed the test, but knew their personal limitations – passing the test didn’t mean you were Michael Phelps (the most decorated Olympian of all time and a Maryland native!), rather simply good enough to proceed. Those folks often went with a buddy, exercised caution and swam near the closer docks.
The last group were the dangerous ones. They were the ones that passed the test by the skin of their teeth, but felt like Katie Ledecky (the most decorated female Olympic swimmer and another Maryland native!). They were confident, overly so, and would try to swim far away with reckless abandon. These were always the folks that needed rescue. When you reached them, they were always so surprised they couldn’t make it – shocked even. But for those of us observing, we recognized the overconfidence and saw it coming.
The reaction that I had to those swimmers is the same that I have to credit union leaders who believe they have never been breached and are completely confident in their security. Overconfidence without caution will lead to a breach.
The swim test is much like a passing grade from a regulator or an annual pen test. While it means your security meets a framework and standard, it doesn’t make you an Olympian.
Of these same confident respondents, only 49% agreed that their IT is up-to-date. And, the same credit union leaders who claim confidence in their security, are also those who identify as under-skilled and under-staffed.
Additionally, credit unions have expanded their threat landscape by moving to remote work and adding new technology to keep pace with innovation.
Over the past 18 months, we have seen a 600% increase in cybercrime. Aged software is the pathway for a majority of cyberattacks, and 95% of cyber breaches are the result of human error.
Protecting your member data is not a one and done solution. It is a full-time job to keep up with and stay ahead of the hackers who are relentless and improve their tactics every single day.
The only way to truly mitigate risk of a breach is to constantly analyze the situation. Do you have the appropriate governance model in place to properly protect your credit union and ultimately your members? According to McKinsey & Co, just 16% of executives say their organizations are prepared to deal with cyber risk.
Cautiously approach the threatening lake, that is the technology landscape today, with a buddy – an expert partner – and maintain a healthy dose of reality by always exploring ways to improve.