It’s probably fair to say that we all experience apathy – that is the feeling of not being remotely interested in, or enthusiastic about something, or perhaps even anything - from time to time. Even the keenest and most energetic of us are likely to encounter things or situations which we perceive as totally irrelevant and meaningless, and towards which we are completely indifferent. Perhaps it’s the case that most of us are apathetic towards some things most of the time, and some of us may be apathetic towards most things some of the time.
For many, Cybersecurity is a subject which inspires apathy. And it is easy to see why. In the first instance, Cybersecurity is a bit like insurance – you’re protecting against a risk that may never happen. Whether you decide to take out the insurance depends on your assessment of the degree of risk and the impact if the risk transpires. But in the case of Cybersecurity, even though the evidence points to all of us being potential victims of attack, lots of us still believe it’s something that will never happen, as many individuals – and a significant proportion of organizations too - don’t believe that they will ever be at risk from Cyber threats. For example, in one recent survey, 51% of Small Business Leaders were convinced that their business would not be a target for Cyber criminals. Other research has found that many organizations viewed Cybersecurity as a necessary evil, required to comply with regulations such as GDPR, but with limited business value.
Another common perception is that Cybersecurity is someone else’s problem, so there’s no need for the rest of us to worry about it. In fact, research by Dtex systems found that nearly half of employees in both the public and private sector believed that they had little or no responsibility for Cybersecurity. Similarly, many senior leaders view Cybersecurity as a technology problem which is of little direct relevance to them and which can therefore be delegated to the IT or Security departments. Meanwhile, in a survey of Cybersecurity professionals, 26% said where they worked they were viewed with ‘indifference’ by the rest of the organization – while 25% felt they were regarded as ‘doom-mongers’ who blocked or slowed down everyday business tasks.
Clearly, such widespread apathy towards Cybersecurity constitutes a major barrier to effective defence against what is a pervasive and growing threat. Ultimately, it appears to be driven by ignorance, as it’s easy to be apathetic about something where there is such a widespread lack of real understanding of the scale and significance of the risk. Ignorance and apathy are clearly closely related – as the singer Jimmy Buffett alluded to when asking ‘Is it ignorance or apathy? – Hey, I don’t know and I don’t care’. But within this lies the route to overcoming apathy – it is to raise awareness of Cybersecurity threats, and their potential implications and consequences. Once we understand that a successful Cyber attack can pose an existential risk to a business, cause enormous operational, financial and reputational damage, lead to substantial fines and expensive lawsuits, give rise to disciplinary action against staff if they are found to have been negligent, and result in enormous inconvenience to individuals, we are far more likely to shed our apathy and take the necessary care to protect ourselves against Cyber threats.
Switchfast, August 2018, ‘Cybersecurity Mistakes All Small Business Employees Make from Entry Level to the C-Suite’ https://cdn2.hubspot.net/hubfs/1747499/Content%20Downloads/Switchfast_SMB_Cybersecurity_Report.pdf
Nixu Cybersecurity, May 2019, ‘Cybersecurity in an industrial environment’ https://www.nixu.com/whitepaper/whitepaper-cybersecurity-industrial-environment
Dtex Systems, 13/03/18, ‘Lack of Employee Personal Responsibility Threatens Security of Public Sector, Survey Shows’ https://www.dtexsystems.com/press/lack-of-employee-personal-responsibility-threatens-security-of-public-sector-survey-shows/
Dtex Systems, 01/02/19, ‘Large Majority of Enterprise Employees Understand What Good Security Practices Are, Few Practice Them Regularly, According to Dtex Systems YouGov Survey’https://www.globenewswire.com/news-release/2019/02/01/1709248/0/en/Large-Majority-of-Enterprise-Employees-Understand-What-Effective-Security-Practices-Are-Few-Practice-Them-Regularly-According-to-Dtex-Systems-YouGov-Survey.html)
McKinsey, March 2018, ‘A new posture for cybersecurity in a networked world’ https://www.mckinsey.com/business-functions/risk/our-insights/a-new-posture-for-cybersecurity-in-a-networked-world
Thycotic, 2019, ‘2019 Cyber Security Teams Survey Report: The CISO Challenge’ https://thycotic.com/resources/cyber-security-executives-survey-report-europe/