PREFACE
"To romanticize the world is to make us aware of the magic, mystery and wonder of the world; it is to educate the senses to see the ordinary as extraordinary, the familiar as strange, the mundane as sacred, the finite as infinite."
Novalis
(poet, author and philosopher of Early German Romanticism)
DO NOT SKIP THIS SECTION!
I'm going to get straight to the point: some of you will not like this book.
Not. One. Little. Bit.
Why? Because it isn't your typical cyber security book. It's going to challenge you. It's going to make you stop and think. If it doesn't, then you're going to need to reread it. This book only contains around 40,000 words and 150 pages and could easily be read in a day or two. But if you do, you've missed the point.
Take your time with the book. Once you've finished, work your way through the 'Required Reading' section at the end. Note that it is not further reading, because that would suggest the books are merely recommended. They are more than that. I see them as essential reading, as they build on the ideas I'm introducing here.
You may have noticed that the front cover of this book has an image of a lock with a chain and heavy padlock. But you would be wrong if you thought I selected this image because the book is about cyber security. This book is indeed about cyber security, but it's also so much more. It's about giving you the key to your creativity. It is about releasing you from the chains that hold you down and hold you back from thinking creatively and creating something amazing. No, it's not a self-help book, but it will help you be yourself and help make the world a safer place. I'm a hopeless business romantic, which is a term coined by marketing consultant and author Tim Leberecht. Like him, I am passionate about business and believe we all have the ability to love what we do.
The aim of this book is to do just that - help you fall in love with what you do and look at our industry and yourself with new eyes.
To do this, I've broken this book into two sections; both deserve equal consideration and time. The first section discusses my thoughts about our industry and those that operate within it. I believe we are all artists, and this section explains in detail why I believe this and why I want you to believe it too.
The second section is dedicated to Sun Tzu and his influential military treatise, The Art of War.1 Examining and expanding upon his words through the lens of cyber security and data protection, I would like you to consider how you can apply his thinking to your profession.
At this point, you may be wondering why there are two topics covered in one book; well, the answer is relatively simple.
This book started as a series of thoughts about what we do and how we do it. Over the years, I built upon these thoughts, drawing on my experiences in martial arts, at management conferences and companies I worked for, and with the cyber security sector in general. This book is the culmination of that, putting my musings in order and outlining an approach I think we should all take. I hope you can find meaning in these pages and apply it to your world, too.
Why I wrote this book: because we need it
In 2019, the UK Active Defence report stated that UK residents are more likely to be victims of cyber crime and fraud than any other crime.2
In 2020, BT asked more than 7,000 business leaders, employees and consumers globally about their opinions on cyber security, with some interesting results. First, it highlighted considerable confidence that suitable security measures are in place, as 76% of business leaders rated their organisation as 'excellent' or 'good' for protecting against cyber threats. However, the same report revealed that eight out of ten executives stated their employer had suffered a security incident in the past two years.3
For many years, it seemed as though only heavily regulated industries were interested in data protection and cyber security. From financial services to health, education and public utilities, they prioritised cyber security because their regulators compelled them. However, following a series of dramatic, headline-grabbing cyber attacks, such as WannaCry in 2017, many more organisations began to realise that they too could fall victim. And then 2020 happened.
The COVID-19 pandemic has further increased the risks we face, as we saw cyber criminals capitalise on the fear, uncertainty and doubt (FUD) that gripped the world. In Q2 2020, Action Fraud in the UK reported a 400% increase in reported phishing attacks, with scammers using the pandemic as a source of revenue.4 Note that this is only reported phishing attacks. What about all the unreported attacks? Did you report the last phishing email that landed in your inbox? Probably not. A police officer once said to me that when a crime is reported, you should multiply the number by ten to get a more accurate picture of the crime level. Of course, this is not scientific, and we can never be sure, but we could be looking at an increase of 6,500% in phishing attacks. I'm not suggesting that we should run to the police every time we receive a phishing email, but I am saying it should be reported to someone! A phishing email is a symptom and could be an indication that something isn't quite working to filter out attempts to break into your systems. I often say to people, if you were walking down the street and someone jumped out at you every day and asked you for your wallet and your PIN code, would you report it? The answer is always yes! This is what is happening in our virtual world, yet people aren't reporting it.
So why is the reporting of cyber attacks so low? Why don't people raise the flag when they've suffered an attack? There are several reasons for this, and cyber criminals are aware of them all. Let's focus on phishing emails for a second; when someone clicks a malicious link and is subject to a phishing attack, their response will depend on what happens next. They might not even notice anything has happened. For example, keylogger malware downloaded from an infected email will sit quietly in the background collecting information, and the victim will be unaware until days, weeks or months later when they are alerted to some fraud. If the payload is ransomware and the victim's device or information is made inaccessible, the first thing the user will do is call their IT support person - whether that's their child, partner, friend or IT department. Next on the list is likely to be the bank to inform them that their accounts might be compromised. If the phishing email contains malware or ransomware, the victim might even call the police. But what about corporations that fall victim? Why aren't they calling the police or Action Fraud? Yes, some will inform the police as they may have insurance policies requiring a police case number, but the response is often internally focused. Why? To put it simply: brand protection.
If a cyber attack hits an organisation, the reality is that there will be a heavy focus on brand protection and damage limitation. It may sound cynical, and there are exceptions to every rule, but when a CEO or business owner tells you after a breach that security and data protection are their number one priority, they are not telling you the whole truth. We've seen this countless times over the decades, where a breach has impacted organisations and customers only hear about it months later, after the company had "completed internal investigations". If security and data protection were truly the number one priority, the business would have informed customers at the earliest opportunity, when it discovered the breach, so they weren't left at risk from cyber criminals. But they often don't, preferring instead to conduct internal investigations to find someone to blame, speak to their lawyers or insurers, create a positive marketing campaign to drown out any negative press, and perhaps sell shares in their company before the news breaks.
Cyber criminals know all of this and capitalise on it.
Why I wrote this book: because I needed to
As I said above, this book grew from thoughts I had over many years, It began when I first started studying martial arts, which was around the same time I started down this technological path, in the early 1980s. I saw a lot of parallels between the cyber security professionals, martial arts and artists that I worked with and trained with. Anyone who studies martial arts for any length of time will most certainly come across the military strategist Sun Tzu, who is credited for writing a series of documents that became The Art of War, or more accurately 'The Art of Strategy'. Although his words on military strategy, tactics and operations were written more than 2,000 years ago, I am often struck with how relevant his words are today.
The longer I work in the cyber security sector, the more I am convinced that every cyber criminal must at some point have read Sun Tzu and is using his teachings against us. This is an important point that I do not want you to miss. As you read the pages dedicated to Sun Tzu, I want you to place yourself in the mind of both business leaders and a cyber criminal. You'll quickly see that ignoring the words of Sun Tzu could leave you at greater risk of attack.
These thoughts have occupied my mind and shaped my career for the longest time, and the more I thought, the more I knew I needed to write them down. I started writing this book because I wanted somewhere I could collect my ideas on a topic I have...
