Are you gambling on cybersecurity?

Cybersecurity is a high stakes game and people aren't aware of the risks, says professional poker player and statistician Liv Boeree

The links between the international poker scene and cybersecurity are not, at first glance, obvious. One is a game of outwitting your opponents utilising skill, psychology and luck; the other is poker.

Olivia ‘Liv' Boeree is a poker champion with a background in STEM, having graduated from university with a degree in Physics with Astrophysics. Although she admits to not being a cybersecurity specialist, she co-authored a report on the subject last year titled 'Odds of a Bad Bet', and draws parallels between the two areas:

"I would never call myself an expert in cybersecurity, but I like to think I'm an expert in thinking about the world and the decisions we make in a quantified statistical way… If you're playing a game like poker where you've got competitors who you're trying to play against, and some of them abide by the rules but sometimes some of them don't… I think that also translates to the business world.

"[In business] you've got both good and bad actors who are looking to either outcompete you in a legitimate way, through business, or outcompete you because they're criminals. And so that's obviously where cybersecurity comes in: where not only do you need to be at least on par or ahead of your competitors, but also then be out-thinking what criminals might be doing, trying to take your business."

People who play poker know that they're gambling, but Boeree says that people in business aren't aware of the risks they're taking when they fail to invest in cybersecurity - which is also a form of gambling.

"They don't quite appreciate that they're in this game, this rat race, and they don't appreciate quite how high the chances are that their business will suffer an attack."

Around a third of businesses suffered some sort of downtime due to ransomware in 2017; the number of attacks has doubled since then, as it is now cheaper and easier than ever to develop and launch a threat. The chance of bad actors taking down essential business services is now "basically a coin flip", but there are still companies that fail to insure themselves.

Making people aware of the game that they're playing is the first step

Changing the terminology we use to talk about protecting against attacks - describing it as gambling or insurance - could help.

"Making people aware of the game that they're playing is the first step," says Boeree. "Maybe something like wearing a helmet when you're skiing. When I first started skiing...even as a kid on a school trip, they never made us wear helmets...

"Then Michael Schumacher [had his crash,] and various other things came to the public's attention and it's like, shit, skiing's actually pretty dangerous, and it's usually head injuries. It's such a low-cost thing to wear a helmet, and now it seems horrifying to ski without it. And it's just one of those things where I think we were gambling without realising that we were gambling...and this is just another example of that."

Boeree worked with secure collaboration platform Wire to produce her report, so it is no surprise that she has some harsh criticisms for email when it comes to cybersecurity. Relying on email is "a technology problem", she says, but the human behind the email is just as important.

"It's technology: technology plus humans. No matter how good you are, I don't think you can correctly spot them [all], particularly as cyber criminals are getting smarter. They know how to write emails now to make you click on them."

Staff training is a must to counter the rising frequency of attacks, as is moving away from so-called legacy technology like email. "It might have been fine around 2003, but it's not suitable [now], certainly not for the 2020s," says Boeree. She believes that modern communication platforms like Slack, Microsoft Teams and Wire present "the only viable way of moving forward for companies, certainly for big businesses".

Have you found a replacement for email? How are you protecting your staff, and ensuring that they can protect you? Let us know in the comments.