According to J. Eduardo Campos the typical reaction following a cyberattack is for a business to review the incident and often this leads to an update in a system or investment in new technology. These changes are costly, and they are not always effective. An important reason for the lack of effectiveness is the people factor.
Campos, who runs a consultancy called Embedded-Knowledge Inc., says that “the problem’s root cause is usually not the technology, but people.”
Campos outlines the people factor in his book, co-written with is wife Erica, titled “From Problem Solving to Solution Design: Turning Ideas into Actions.” The book assesses how complex organizational problems have several stakeholders, endless variables, and a myriad of possible solutions, which make finding the right solution challenging.
Many large businesses, Campos states “that take a simplistic approach, assuming “computer hacks are an IT department’s problem”. Business that adopt this rationale are are heading for trouble. The reality, he explains, is that “cybersecurity is everyone’s job.”
Campos places emphasis upon the design techniques needed to develop cybersecurity systems and protocols. For this he outlines what he terms the I.D.E.A.S. framework. The mnemonic runs:
Identify: This means getting to o the root cause of the problem. To do so requires stepping back and assessing the situation. This is necessary to ensure that the business are treating not just the symptoms.
Design: To avoid security breaches, businesses should take time to determine the solutions necessary to address all the problems related to these issues.
Engage: Businesses must confirm that everybody who is impacted by a new cybersecurity program is on board with the changes. This means focusing on the cultural aspects.
Act: For this, training needs to be rolled for all employees to explain things like the common ways hackers can enter a system, including phishing scams.
Sustain: This requires monitoring and designing metrics to maintain cybersecurity policies and implement an accessible system for employees to identify and report incidents.
If a business does this, Campos notes it “will have a much better chance of countering criminals.”