Australia recently had the Budget Night, where the Treasurer, Jim Chalmers revealed how the Australian government will spend its money. The Budget will reveal the relative priorities of the government in future. One of the major criticisms of the Budget was from cybersecurity experts, who believed that the government was not taking it seriously enough:
As this news article reported,
Jim Chalmers’s third budget has been criticised for being light on cyber security, despite threats from state-sponsored actors and criminal gangs harnessing artificial intelligence to increase the speed and scale of attacks.
What do I think?
Mindset shift required FIRST
For starters, cybersecurity is not something ‘technical’ that is solely the IT department’s responsibility. Unfortunately, too many people ACT as if cybersecurity is the IT department’s problem, despite KNOWING in their minds that it is everyone’s responsibility. I have seen this attitude, from important decision-makers within private and public sector organisations to rank-and-file staff members.
To have cybersecurity, EVERYONE must adopt a cybersecurity mindset, which means a cultural and psychological shift is required.
As a result of this wrong attitude, decision-makers get seduced by the latest cybersecurity gadgets, software, and AI, while neglecting the human aspects of cybersecurity.
Why is it hard to adopt a cybersecurity mindset?
The root of the issue is that there is an unavoidable dichotomy between cybersecurity and convenience. An extremely secure system will be a pain in the ass to use. Conversely, an extremely easy and convenient-to-use system is likely to be an easy target for hackers to exploit.
There is no way around this dichotomy!
So, to have cybersecurity, EVERYONE must have the mindset to want to choose to sacrifice convenience to achieve that.
Example
However, I am hearing stories of directors of certain companies who demanded their IT department to exempt them from Multi-Factor-Authentication (MFA) because they are too important to suffer the inconvenience of MFA. I would argue that precisely these people are directors, they are more likely to be targeted by hackers. Therefore, it is more critical that they suffer the inconvenience of MFA for the sake of their organisation’s cybersecurity.
This is an example where convenience trumps cybersecurity. It is a pervasive mindset that runs from the top to the bottom of organisations. Worse still, even people within IT departments are infected with this mindset too.
That is why we are always on the back foot when it comes to cybersecurity.
Is the problem a lack of knowledge?
The article reported,
The problem is, even despite the recent flurry of media headlines, many SMBs remain blissfully unaware of how or why they can and should be improving their cyber defences.
Is it true?
In my experience, the problem is not so much about lack of knowledge.
Given the media attention paid to cybersecurity and the amount of basic cybersecurity information put out by the government and private organisations on websites and social media, individuals and small businesses have no excuse for lacking knowledge. I have written an entire book for non-technical folks about cybersecurity at a highly affordable price. I have a friend who specialises in teaching cybersecurity awareness to non-technical people. I have another friend who tried to sell software to help people deal with ransomware. But we find it an uphill battle to get people to take action to help themselves.
Why?
Because cybersecurity is inconvenient. And people (from decision makers down to rank-and-file staff) have chosen convenience over cybersecurity.
For individuals and small business owners, this translates to inaction. For large corporations, this translates to underinvestment in cybersecurity, including severely understaffing their cybersecurity functions and neglecting to develop pipelines of cybersecurity skills development. The fact that the cybersecurity industry has an acute mental health problem that requires a not-for-profit organisation to deal with is a sign of severe neglect. As I wrote in Why ‘dead bodies’ of cybersecurity victims will pile up faster?, there is no will by the government to fix the demand-side of the cybersecurity skills shortage crisis.
Is the Budget enough?
I am not an economist. So I cannot comment on how much is ‘enough’.
But one thing I know.
Without a mindset change, pumping more money into cybersecurity will be like pushing on a string. For example,
- You can spend lots of money ensuring compliance with the latest cybersecurity governance framework. But without a mindset shift, it will simply be a box-ticking exercise that goes through the motion. It will just end up as another layer of red tape.
- You can spend lots of money fortifying systems, but a careless system administrator who uses an easy-to-guess password for his convenience becomes the weak point that allows hackers to get in.
- You can train people to be cyber-aware all you want, but if they do not ACT out on what they have learnt because it is too troublesome personally, it will just be head knowledge and all the training will come to naught.
Also, perhaps the cybersecurity experts are right. The lack of cybersecurity investment in the Budget is perhaps a sign that the required mindset shift is absent.
Conclusion
Once we have a societal mindset shift towards cybersecurity and are willing to sacrifice convenience to achieve that, priorities and financing towards it will naturally follow. If you are not convinced, just take a look at the tiny country of Israel. They have an all-of-society approach towards security. They are well-known to be a cybersecurity superpower, punching well above their weight. If we do not have this mindset shift, we will continue to be juicy soft targets for cybercriminals and foreign nation-state hackers to exploit and our cybersecurity problems will pile up.
DON'T GET HACKED!
