Alan Levine | March 26, 2018

Cyber, a C-suite issue

As seen on Professional Security...

Board members are recognised as a trusted group of individuals with the expertise and experience to oversee the overall activities of an organisation. They hold a very privileged and powerful position, with access to a multitude of sensitive corporate data. However, with great power comes great responsibility, and it should be the duty of the C-Suite to know how to keep this data secure, especially in the current security threat landscape, writes Alan Levine, Security Advisor at cybersecurity software firm Wombat Security Technologies.

However, research from the UK Government in 2017 stated that as many as 68pc of those in FTSE 350 firms have no in-depth knowledge of cybersecurity. Not only does this represent a major security risk but it also suggests that there will be a lack of security awareness company-wide. This lack of awareness exacerbates an already troubling issue, as IT security teams are struggling to cope with the modern cybersecurity environment. PWC’s Global State of Information Security Survey 2018 revealed that many key processes for uncovering cybersecurity risks in business systems, including cybersecurity awareness and training, had been adopted by less than half of infosecurity professionals surveyed.

The risks are even greater with the upcoming implementation of the General Data Protection Regulation (GDPR) just around the corner. Organisations need to learn how to protect their data or they will face a huge fine of up to 20 million euros, or 4 percent of their annual turnover. For this reason, it is more pressing than ever that the Board embraces and promotes a comprehensive cybersecurity strategy. However, it’s the job of infosec professionals to ensure that the C-Suite are on their side. While, this may seem like an impossible task at times, technical professionals need to remember that winning over the board requires a business focused and impact driven strategy.

Knowledge

There’s no doubt that organisations are under a greater threat today from cyberspace than they’ve ever been. According to the Online Trust Alliance’s (OTA) Cyber Incident and Breach Trend Report, reported cybersecurity incidents have nearly doubled from 82,000 in 2016 to an estimated 160,000 in 2017. Many of these threats sought to take advantage of the low levels of cybersecurity awareness among end-users. That’s why phishing is so popular. Our 2018 State of the Phish Report revealed that 76 percent of organisations experienced a phishing attack in 2017. Phishing can enable hackers to infiltrate a corporate network, especially if they manage to elicit privileged account log-ins that provide them with a direct route to highly sensitive data. In seconds a hacker can be the king of the corporate castle.

Of course, these sorts of numbers should get the C-Suite’s attention and act as an incentive for them to invest more attention and capital into cybersecurity. This may seem logical to infosec professionals, but you shouldn’t assume that Board members are fully aware of the current security threat landscape, or that they even understand it. When trying to get Board members ‘on board’, one essential point you need to remember is who your audience is. Board members are business people and the majority of them won’t have a background, or any training in cybersecurity. And with extremely high-pressure jobs, they may not be able to keep up with the latest security news. Your knowledge of the security landscape can be used to your advantage but you must present it in a way that resonates with the Board. Instead of focusing on technical details, present them with a general overview and highlight the business impact that cybersecurity failures can cause. For example, they need to know that ransomware is a huge threat. UK businesses detect an average of 38 new ransomware attacks each day. However, when introducing the importance of this to the Board it would be more effective to highlight the high financial and reputational impacts that successful ransomware attacks have on businesses. Using real-world examples from recent high profile news stories will also strengthen your argument. For example, the NotPetya attack cost Danish shipping giant Maersk over $300 million.

Training

Shockingly, the OTA’s report mentioned above concluded that 93 percent of cybersecurity incidents in 2017 could have been prevented by following basic security best practises, such as conducting phishing awareness training. With so much at stake financially and reputationally, organisations cannot afford to allow data breaches or damaging service outages to take place because of human error. Employees are a corporation’s last line of defence against cyberattacks, so they must be given the right skills and tools to effectively participate in the fight against cybercrime. In the US, 41 percent of organisations train their end users to recognise and avoid phishing attacks monthly, whereas in the UK only 15 percent of organisations do the same. Instead the majority (44 percent) of UK organisations train their employees only four times a year, so UK companies really need to step up, and they need C-Suite backing to do so. IT professionals need to ensure security training is spread not only to employees, but the Board as well. Board members are often overwhelmed with busy agendas so it’s important that training is kept short and focused. Establish a continuous learning approach, using interactive bite-sized lessons throughout the year, followed by practical, relevant feedback for both the C-Suite and employees.

In the long-term, with both the C-Suite and infosec teams at the helm, everyone in the company should understand the importance of a strong cybersecurity defence posture, which includes continuous training and awareness. Behavioural change takes time, but the C-Suite needs to recognise that they are key players in influencing their organisation’s cybersecurity culture, and that they have a responsibility to set the tone for the business’s security awareness.

Read this article on Professional Security