The Deep Psychological Reasons Why Businesses Lack Cybersecurity

If you can’t see it, it’s not there. Or is it? That is the general unconscious belief people and companies have, when it comes to health problems, general security, climate change and now, of course, cybersecurity.

It’s the lack of mindfulness we have become accustomed to when it comes to taking care of important issues before they happen and before they get to the point of no return. 

It is the classic fight or flight response that we have deep inside us. But the fight or flight that appears within a cybersecurity context is an illusion, especially when it comes to protecting ourselves from hackers.

It’s human nature to want to seek pleasure and avoid pain. Our lives are shaped by that. It drives our behavior and this, of course, is instinct. We turn away from what could hurt us, leading us to seek pleasure, what’s more comfortable and what’s more familiar.

For example, a company is collectively a group of people who will be predominantly focused on sales generation, profit, advertising, marketing, PR, all the nice things that ultimately give us pleasure, growth, abundance – dopamine, serotonin, endorphins, and oxytocin – the feel-good chemicals that heighten our egos and remind us how amazing we are! Generally speaking, we pay more attention to the things that make us feel good.

This behavior allows us to carry on as if nothing bad will happen, which takes us down the path of a false reality. It's like when the economy is in great shape, we spend money, take on credit, buy a nice car or a new home, making us feel fantastic, and our family and friends are in awe of us. Globally  speaking, everything is good – until the economy starts to falter and a recession happens and then  it’s too late. Panic, fear and blame happen. We’re hurt and then the regret and remorse kicks in. The pain becomes immense and then we say, “What could we have done to avoid this?”

Our mind is a master of self-deception; therefore, it can tell you that everything is OK when the  reality is, it may not be, especially when it comes to cybersecurity and the avoidance of truth. They often say that the “truth hurts,” yet again giving us another reason to avoid the pain because we don’t like it when we’re hurt.

Not admitting the truth that being hacked can cause you or your company considerable pain gives you a reason to avoid the thought of having a robust cybersecurity policy in place. You don’t want to think about the mass damage to critical infrastructure it can have on your company if your ICS (industrial controlled system) gets hacked. Or, face the prospect of being fired if you are the boss and you didn’t take a proactive approach or if members of your team were seriously injured or even killed (this is very possible within an industrial context). This thought alone, rationally, should make anyone take action but we’re talking about human psychology where in lots of cases, we don’t act rationally because, unconsciously, we cover our eyes and pretend it won’t happen. 

Let me give you a crash course on the psychology of why we do or don’t do what we should be doing. 

Right now, many people and businesses do not value cybersecurity. With most people, it doesn’t match their values. Our values are what's most important to us and not what we “like.” For example, we pay our taxes not because we like to pay them but because we have to. It’s the law.

But in a cybersecurity context, it’s usually down the list of our values; therefore, it's not at the top of our agenda. Incidentally, our attitudes and beliefs are intermittently linked to our values; we see them as a chain, all linked together. 

So, if our attitude to cybersecurity is poor and our belief system is that being hacked only happens to other companies and not ours, then, of course, we do not value it. And this is the center of the problem. How much do you value cybersecurity?

As a consequence, (consciously or unconsciously) businesses often believe they have better things to spend money on. It’s not currently affecting their survival agenda (usually profit), which we all have and need. There’s no acute instant pain that gets them to react quickly or what they perceive is that there’s no gratification. No reward for paying for cyber security ... yet.

They may also get very nervous when they think of the cybersecurity consultancy fee that they will have to pay. All “pain,” no instant or long-term pleasure. And what’s more, all this is unconscious, totally out of their awareness. 

Earlier, I mentioned that humans have survival agendas. Meaning that we get up, we put our clothes on and go to work. We must do so to make money, to enable us to survive. But when there’s no instant threat, there’s no immediate pain or discomfort, then there’s no thought about cybersecurity, or at the very most, the mentality is, “I’ll do it tomorrow.”

A recent article on the CNBC website stated that a staggering 43 percent of online attacks are aimed at small businesses, yet only 14 percent are prepared to defend themselves. According to insurance carrier Hiscox, cyberattacks cost the average business $200,000 and 60 percent of them go out of business within six months, which is a huge problem that I foresee getting worse.

If you are an industrial company, such as oil and gas, automotive, mining or manufacturing, and you have an ICS (industrial controlled system) that gets hacked, your timing is compromised  because hackers take control real-life controls, devises, pumps and valves and  manipulate them, causing malfunctions and timing issues, resulting in your company coming to an abrupt halt and disrupting critical infrastructure. It causes a tremendous amount of damage to the company, possibly injuring its people.

As you can see, the consequences of this are damming. If the attack becomes public, you run the risk of damaging your reputation, law suits, data-loss backlogs that take months to recover and, more importantly, loss of life, which is as serious as it gets.

What we are seeing now is the tip of the iceberg. As machines and critical infrastructure get more complex, so do the attacks. The message is clear: do not fall victim to a cyberattack because you chose to ignore it. Preparation, not panic, is the best way to stop your company being a target.