Seafarers and accountants: a different cyber perspective
Ancient seafarers and accountants are not normally the subjects of cyber security related articles. This post will seek to address this oversight by considering how these two communities made use of the virtual environment to go about their business. By doing so we can take a broader perspective on what the virtual means to organisations today and how this translates into protecting against cyber threats.
Cyber security has been in the public’s awareness for a number of years. This has arisen through high profile security incidents such as the Wannacry NHS incident or through data breaches such as that reported recently by Marriott hotels.
Despite this awareness, cyber security is still a relatively new concept for many people and they find it difficult to understand what matters to their business. There is a tendency to focus on the specific incidents that are in the media, a ransomware attack or a data breach, instead of taking a more holistic view.
To try and explore this perspective this article is going to look at what the virtual world actually is and how it has developed over the centuries. Ultimately this will allow the modern business world, much of it enabled by the virtual world, to be considered in a new light.
The use of the word ‘centuries’ in the previous paragraph may have been cause for an eyebrow to be raised. How can the virtual world be centuries old when computing was only developed in the twentieth century? The modern use of the word virtual is inexplicably linked to technology. However we can consider much older technologies that also operated in the virtual space.
One of the earliest and most basic of these would have been the art of storytelling and folklore. This was a knowledge retention and transfer technology that allowed important information essential for survival to be retained. For example, stories or tales could have contained knowledge about the weather that would have been of practical use to early seafarers in order to foretell storms. The ‘red sky at night’ saying is an example of this weather lore and, at least in Northern Europe, is scientifically sound.
In this case the virtual realm of the story serves a clear business function; minimising the risk to seafarers by reducing the chance of setting off in unfavourable conditions. If this business function was deemed to be of critical importance to the seafaring community they might seek to control and protect the story telling relevant to them. They may choose to encourage story telling sessions to maintain and spread the knowledge, they may seek to crack down on stories being introduced from other areas where the weather conditions are different, or they may even seek out stories from other areas in case they offer better predictions. The exact specifics of the stories are not important, provided they fulfill the desired business function. The requirement to protect that business function is derived from its importance to the business and not because of how it is enabled.
The invention of record keeping systems, such as writing, enabled the key business function of accounting to be developed. It could be argued that physical documents are not virtual but they are used to represent virtual systems such as the assets or flow of money in a business. The value in such documents lies not in the weight and quality of the paper but in the information they contain. Such information serves a key business function by allowing business owners, investors and managers to measure the enterprise in an objective manner.
Again, similarly to our seafarers and their weather forecasting, the value of this business function is deemed to be of critical importance and so efforts will be made to protect it. These efforts will focus on the physical security of the documents and may involve locks, safes and guards. If the value of the information was deemed to be very important then duplicates could be made and stored separately. The human dimension may also be protected and measures taken to buy, or otherwise enforce, the loyalty of the accountant. Once again, the requirement to protect the business function arises from the importance of that function to the business and not because of the specifics of how the function is enabled.
The conceptual leap into the modern world from these bookkeeping days is not as great as would be imagined despite the hundreds of years of technological progress that were required to get there. Businesses have critical functions that enable them to operate and some, perhaps all, of these functions are enabled through virtual means. The lessons from the past still apply though and businesses should protect their functions based on their importance to the business and irrespective of how that function is enabled.
The recent focus, and at times hype, surrounding cyber security often only results in shallow analysis and action. The importance of using a modern, up to date, operating system was widely noted in the media following the NHS Wannacry incident. The natural action for a business leader who observed this incident would be to provide direction to upgrade and update all the operating systems being used in their own organisation.
From a technical security perspective, this is an excellent course of action, however it fails to prompt the question of what is the business function that is being enabled by that IT and how critical is it to the organisation? Without asking this question it is not possible to judge the relative importance of the IT and so it is not possible to prioritise spending. This leads to the inefficient use of capital and harms the competitiveness of the business. For example upgrading a large number of operating systems could be a considerable cost. Much of this investment could be potentially undermined and wasted if there remained in place a poor password policy or if the operating systems were not configured correctly.
Businesses need to understand how IT enables their business before any security actions are taken. They need to be able to judge the relative importance of their key business functions so that they can prioritise their security spending. With this more holistic view of how IT allows the organisation to function, business leaders can manage cyber security like all the other risks they routinely have to manage. It may be decided that the payroll is the highest priority so significant investment is placed in securing the IT that enables it. Equally it may be decided that a more cost effective, yet still effective, solution is to issue company cheque books to low level managers for use in an emergency.
Cyber security should not be complicated. If it is then the people who matter will not understand it and will only resource partial or ineffective solutions. Instead cyber security should be simple, clear and provide business leaders with the information they need to make informed decisions.
Clear Cut Cyber specialises in helping businesses understand what cyber security means for them so they can make informed decisions to improve their security. If you want to find out more contact [email protected]