Business Leaders Can Make Big Mistakes About Cyber Security

Uploaded on 2021-08-24 in TECHNOLOGY--Resilience, FREE TO VIEW

The past two years of Coronavirus been very challenging for many businesses, both large and small. Some had to close their offices and rapidly convert the workforce to remote working for their employees, pushing through frequently incomplete digital transformation strategies to make it happen as quickly as possible.

Many of these business discovered that protecting their operations from from cyber threats suddenly became much more urgent and business leaders were hard -pressed to get up to speed in understanding and dealing with their organization' heightened level of cyber risk.

Today, every business needs to address cyber security to operate in the online world and regardless of the size of the business, the reality is that cyber security is not just the domain of security professionals or its executives. Every single employee within a company has a hand in the protection of the business, as they handle company data, manipulate it, and communicate it as part of their jobs.

Business leaders must trust their employees with sensitive data to ensure they can effectively do their jobs. But a data breach involving sensitive board information can result in costly litigation and devastate an organisation’s reputation. Cyber criminals are acutely aware of the gateway that employees create for malicious activity. This is evidenced by the fact that long weekends and public holidays are the preferred time for cyber criminals to attack, as IT staff are unlikely to be monitoring activity, making it more difficult for companies to react quickly.

At the same time, company Boards and Senior Executives have experienced a much higher level of personal jeopardy, with CEOs forced out of their jobs as a result of inadequate performance when confronted with cyber security issues, like breaches, data loss, heavy ransom demands, reputational damage and often crushing financial consequences.

Although cyber security is now most definitely on the board’s agenda in most organisations, it is rarely a fixed item. More often than not, it makes appearances at the request of the Audit & Risk Committee or after a question from a non-executive director, or in response to a security incident or a near-miss. All this hides a pattern of recurrent cultural and governance attitudes which could be hindering cyber security more than enabling it.

There are three big mistakes the business leaders need to avoid to promote cyber security and prevent breaches.

Downgrading       

Every organisation is different and the COVID crisis is affecting each one differently, but pretending that the protection of the business from cyber threats is not a relevant board topic is both negligent and consequently an issue r of poor governance which non-executive directors have a duty to recognise and and address.

  • Cyber attacks are in the news every week and have been the direct cause of millions in direct losses and hundreds of millions in lost revenues in many large organisations across almost all industry sectors. 
  • Data privacy regulators have suffered setbacks in 2020: They have been forced to adjust down some of their fines, and we have also seen a first successful challenge in Austria leading to a multi-million fine being overturned. Regulatory fines are now becoming very costly, potentially reaching 4% of global turnover under GDPR regulations and the risks should certainty register with most company boards.
  • The Coronavirus crisis has made most businesses heavily dependent on digital services, the stability of which is built on sound cyber security practices, in-house and across the supply chain. Cyber security has become as pillar of the “new normal” and even more than before, should be a regular board agenda, clearly visible in the portfolio of one member who should have part of their remuneration linked to it. 

Treating It As Exclusively An IT Problem     

This is a dangerous mistake to make at a number of levels. Cyber security has never been a purely technological matter and the protection of the business from cyber threats has always required concerted action at people, process and technology level across the organisation. Reducing it to a technical issue downgrades the subject, and as a result the calibre of talent it attracts.

  • In large organisations it can led to a persistent failure to address cross-silo issues around identity or vendor risk management, in spite of the millions spent on those matters with tech vendors and consultants. It should not be left to the CIO to deal with, unless their profile is sufficiently elevated within the organisation. 
  • Alternative organisational models don't necessarily deal with the challenges of the digital transformation and the prioritisation of data privacy, even taking proper account GDPR. It is quite easy, in particular in large firms, to over-engineer the three lines of defence and to build monstrous and inefficient control models. Proper cyber security depends upon trust, and must bring a visible benefit to each part of the control organisation to avoid creating a culture of blame and finger-pointing.

Throwing Money At The Problem        

Protecting an organisation from cyber threats is a mindset that is best ingrained in an organisation's culture, not something you can simply purchase of the shelf. Indeed, most of the breached organisations of the past few years would have spent collectively tens or hundreds of millions on cyber security products over the last decade.

A lack of adequate investment in workforce skills and cybersecurity training  is certainly risky, as IT teams struggle to keep corporate networks operational and secure  when the rise in remote working is adding to their security challenges.

CISOs need to be in communication with the board in order to ensure that they understand  the needs of cyber security and that they are making the right levels  investment, but where the level of cyber security awareness among the workforce is low and a major change in culture and attitude is required, just spending money at the problem is not the answer. It is more important to focus on a providing leadership in building cyber security awareness.

This needs to start at the top of the organisation, with a highly  visible and credible board commitment, that can be promulgated throughout  the organisation.

Technative:      HelpNetSecurity:       Information-Age:    DLA Piper:      ZDNet:     Image: Unsplash

You Might Also Read: 

Cyber Security Is The CEO’s Biggest Problem:

 

« Webinar: Adapting detection and response strategies to the cloud
Businesses Pay A High Price For Automated Bots »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Hex Security

Hex Security

Hex Security Limited is a specialist Information Assurance (IA) consultancy working with associates and partners to deliver security certification and accreditation support.

ThaiCERT

ThaiCERT

ThaiCERT is the national Computer Security Incident Response Team (CSIRT) for Thailand.

ThreatHunter.ai

ThreatHunter.ai

ThreatHunter.ai (formerly Milton Security) is a business that tracks down and mitigates attacks in real time using our ARGOS Platform and our Elite Threat Hunters.

Ahope

Ahope

Ahope is a mobile security solution provider in Korea with a long history of security solution development.

Boldon James

Boldon James

Boldon James are market leaders in data classification and secure messaging software.

Qufaro

Qufaro

Qufaro is a new initiative designed to make it simpler for those with career ambitions in cyber security to access the UK’s cyber-specific education and innovation opportunities.

DynaRisk

DynaRisk

DynaRisk helps companies protect their staff, clients and supply chain from cyber threats by enabling people to take action for themselves.

CloudAlly

CloudAlly

CloudAlly provides online cloud to cloud backup and recovery solutions, which backs up daily changes in your SaaS to unlimited Amazon S3 storage and makes it available for restore or export.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Conference Index

Conference Index

Conference Index provides an indexed listing of upcoming meetings, seminars, congresses, workshops, summits and symposiums across a wide range of subjects including Cybersecurity.

Techleap.nl

Techleap.nl

Techleap.nl is a non-profit publicly funded organisation helping to quantify and accelerate the tech ecosystem of the Netherlands.

KT Secure

KT Secure

KTSecure’s mission is to provide proven and productive cyber security solutions and managed services, backed by our highly qualified and passionate team of experts.

National Academy of Cyber Security (NACS)

National Academy of Cyber Security (NACS)

National Academy of Cyber Security provides Professional Training Courses and Programmes in Cyber Security.

du

du

du is a telecommunications service provider providing UAE businesses with a vast range of ICT and managed services.

Acumen

Acumen

Acumen's cyber security engineers protect your critical systems, in critical moments. We are here when you need us most.

Icon Information Systems (ICONIS)

Icon Information Systems (ICONIS)

ICONIS is an integrated infrastructure and service provider, offering unified Information Technology (IT) solutions globally.