Perhaps the most intuitive principle of learning, traceable to ancient Greece and Aristotle; “it is frequent repetition that produces a natural tendency.”
But has the art of hammering home, in the modern world of desensitisation, inadvertently replaced emphasis with exaggeration when debating the dangers of cyber security?
“Absolutely not,” says Pierre Noel, Chief Security Officer, Microsoft Asia, with a wry smile and a head shake, when speaking exclusively to Computerworld New Zealand.
“As a business in New Zealand, if you have information that is of value to somebody else, then I say welcome to the team.”
The team being the 500,000 plus businesses up and down the country currently battling to keep their virtual perimeters secure, some taking cyber security seriously, others with a pinch of Kiwi salt.
But in all fairness they paid attention the first time, remember.
Heck, they even glanced up from their desktops when a breach of Sony Pictures Entertainment revealed Angelina Jolie to be a “minimally talented spoiled brat”, when Target agreed to pay hack victims US$10 million damages and even when JP Morgan reported that 76 million households and seven million small businesses were exposed across America.
Yet in 2015, for many businesses it no longer feels like ‘news’ when the hacking of another giant corporation is reported, with the industry severely fatigued on the topic of cyber security.
“For those questioning the rise of cyber crime, they should speak to Interpol,” says Noel, drawing on 25 years of international experience in Information Security and Enterprise Risk Management.
“Businesses must realise that when it comes to the organised crime gangs of the world, the mafia and the drug lords realised four or five years ago that they could make more money through cyber crime than by selling drugs.
“During the past five years we’ve seen a creation of a complete ecosystem as part of the organised crime community, with criminals now tasked with weaponising malware to make a lot of money.”
Alluding to the widely held belief of ‘it won’t happen to me’, or even the commonly used ‘ignorance is bliss’ approach in business, Noel referred back to December 2014, to the story of a German steel factory being brought to its knees by an online security breach.
The gist? “It’s a steel factory, you wouldn’t think it would be a target but it was subject to blackmail,” Noel explains.
According to media reports, hackers blackmailed the organisation with a message threatening to disrupt the factory’s systems unless a significant ransom was paid.
The factory, refused to pay.
Two weeks later, the factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, crippling operations as reported in the German government’s annual IT security report.
"Businesses must be advised beforehand,” Noel adds. “They must be advised by all parties, including law enforcement agencies before such incidents happen so we can all agree on some basic principles of what needs to be done.
"To often, businesses are caught in such a situation without having thought their way through in the first place, so it is critical to be prepared.”
For Noel, in referring back to the hack, when the factory is in meltdown and panic has set in, “this does not want to be the first time you’re aware of the situation."
“Create a resilient plan so you know when to speak to police, when to ask the CEO to step in, when to call on law enforcement," he explains.
The same advice applies to the many large enterprise organisations in New Zealand, through the mid-tier and down to the 460,000 small businesses operating nationwide, with Noel emphasising the ability to “reinvent yourself in the face of a crisis.”
While it may go without saying in the modern day, Noel believes all organisations should “assume breach”, forming an acceptance that a hack is inevitable but crucially, understanding how the company can “withstand the hit.”
“Enterprises must assume breach and work on the assumption that they will get hacked, in fact it may already be happening right now,” Noel adds.
But as the CSO, the executive in the corporation responsible for the security of personnel, physical assets and information in both physical and digital form, is such an acceptance an admission of helplessness? Or even incompetency?
“As a CSO, my job should not depend on preventing security attacks,” adds Noel, who in his previous life held the responsibility of IBM Security portfolio at a global scale. “If this is how I am incentivised and rewarded at the end of the year, I will resign immediately.