Your favorite Secretary of Defense Donald Rumsfeld once uttered a strange phrase when discussing the situation in Iraq: “there are unknown unknowns.”
It sounded like nonsense to the general public on the initial hearing, but in reality, the statement stems from fields like psychology, risk assessment, and project management. Rumsfeld later defined the term as “things you don’t know [that] you don’t know.”
Whatever your thoughts on SecDef Donald Rumsfeld (and I’m sure you think of him all the time), the fact is that the concept of “unknown unknowns” does apply to organizational thinking and planning. In our case, what we’d like to consider is how this applies to IT and cybersecurity by focusing on one particular “case study” field.
Non-profit organizations are ripe targets for cybercrime. If you aren’t a non-profit, before you close out this blog to look at college football scores, keep in mind that what we are focused on here is the psychology of threat assessment. This organizational psychology or perception problem is strikingly visible in non-profits, but it applies to all fields and industries.
There are a variety of reasons non-profits are ripe targets. Data suggests that non-profits are in the “Top 10” of industries targeted by cybercriminals. BUT, importantly, non-profits are in the “Top 3” of high- and critical-severity attacks. What does this mean? Well, it means that while there are a number of other industries with higher rates of targeting, non-profits face much more serious cyberattacks that “usually involve detected hands-on-keyboard adversary activity and the use of sophisticated malware and vulnerabilities,” according to CrowdStrike.
So, cybercriminals use sophisticated tools (instead of broad, blanket malwares), targeting non-profits with specific “hands-on” intention. Why?
There are the “usual suspect” reasons, but then also one underlying reason that involves the organizational psychology discussed above. The usual suspect reasons are indeed true: non-profits tend to have more limited IT & cyber budgets, poor cyber hygiene practices and policies, and oodles of valuable personal and financial data stored on their networks. Additionally, generally by their nature, non-profits are typically associated with social or political causes; inevitably, this means that ideological hackers are more likely to target those organizations.
But again, we ought to ask a “WHY” question? If an objective party looked at the fact that a non-profit held valuable, lucrative data, and that the nature of their organization could provoke ideological opposition, that third party would clearly recommend more robust cybersecurity budgets, policies, and practices.
So why do 68% of non-profits have NO documented policies or practices for what to do in the wake of a cyberattack? Why do 71% of non-profits allow employees to access data with unsecured devices?
The answer to these questions has to do with the problem of organizational perception – how workers in this field think about their work and their organization. Simply put: non-profits are high-priority targets because they themselves THINK THEY ARE NOT HIGH-PRIORITY TARGETS. They assume their data is not valuable. They assume they are not “big fish.” They assume their risk is lower than other organizations because of their size, scope, and purpose.
This “perception” of safety leads to a lack of vigilance, and this lack of vigilance leads to becoming a cyberattack victim. For non-profit leaders, cyber threats are an “unknown unknown” – something they don’t know that they don’t know. This perception problem is what leads to victimization.
But this perception problem (that is, not perceiving realistically an organization’s cyber risk) happens to leaders in all fields and industries. The long-standing, default view has been that IT is simply a barely visible part of business infrastructure like buildings or fleet vehicles. Sure, maintenance and upkeep are necessary, but as long as IT is functioning, we are good-to-go.
But that approach has been long outdated, even if it is still prevalent in many industries. IT and Cybersecurity threat issues should no longer be an “unknown unknown” to business owners. Rather, these should be part and parcel of your regular risk assessment. While the specific cyber threat you face may be an “unknown,” what should be a “known known” is that you do face cyber risk. With this “known,” you can incorporate appropriate cyber planning, budgets, policies, and practices into your business.