Please read the KMPG report in the link: https://assets.kpmg/content/dam/kpmg/pdf/2014/05/cyber-security-not-just-technology.pdf
Which of the five mistakes, do you think, is more common in an organization/business of your choice? Which of the three options would be more challenging in taking action (risk assessment, changing organizational culture or determining budget?
Of the five cybersecurity mistakes that exist within many industries, the most prominent within critical infrastructure industries is the perception that hiring the best professionals to defend against cybercrime is the only required measure. While hiring skilled professionals can be beneficial for multiple reasons, it should not be the only action due to the amount of other changes that need to occur. Specifically, for organizations handling electricity, water, or fuel, the main issue is that cybersecurity wasn’t a part of the model and now needs to be implemented on a legacy foundation. There’s also the issue of applying cybersecurity behavior to employees, as well as vendors, to ensure multi-layered protection.
Out of the options of risk assessment, changing organizational culture, and determining budget, I believe that changing organizational culture would be the most challenging for taking action. With risk assessment or determining a budget for cybersecurity measures, while both require looking at multiple different aspects of a business to make those changes, people changing is one of the most difficult for cybersecurity measures. This is due to the hierarchy of any business often lacking any knowledge when it comes to security practices outside of basic measures. Employees are likely to stick to practices like writing passwords on notes, leaving devices open when they need to do something else, and clicking on links or emails without considering the potential danger. Upper management struggles with cybersecurity by seeing it as an additional cost to a business with no returns that only eats up resources, as well as maintaining the same behavior as regular employees. So, this kind of change would require people to significantly change how they work, which can cause more frustration to cybersecurity measures despite the benefits.