SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
One step ahead: Safeguarding your business from the top down
Mon, 4th Sep 2017
FYI, this story is more than a year old

It's never been more important for businesses to remain one step ahead of cybersecurity attacks.

Any company bound by rules and regulations has the obligation to protect the interest of their stakeholders, including their customers, against cybersecurity attacks. Failing to do so could be a detriment to their brand.

From an economic standpoint, Juniper Research findings suggest cybercrime will cost global businesses over US$8 trillion in the next five years.

A top-level discussion

For a long time, the discussion about cybersecurity and how to handle imminent threats was only had by CIOs and IT departments.

However, the conversations about cybersecurity have started to change. Cybersecurity is increasingly being addressed by executives at board level. We have seen an uptick of this particularly in the last five years.

This has been triggered mainly by the widespread impact cyber threats have had on businesses globally. Just look to the recent WannaCry ransomware attack that infected thousands of computers across more than 70 countries including the UK, China, and Russia, as an example.

Often, however, mitigation plans against cyberattacks fail due to a lack of support from the board. But if the board starts leading the charge, it's more likely the plan will succeed.

An Australian government survey found that if an organisation considers cybersecurity at board level, it is more likely to be resilient against attacks than organisations that do not.

In many parts of the world now, it's mandatory for board members to have come from a security background, or at least to be security savvy. In Australia, boards will soon be held more accountable than ever before when an attack occurs.

New laws were passed in February 2017 by the Australian government that require Australian businesses and government agencies to notify the Privacy Commissioner and their customers if they have experienced a data breach. The new legislation is due to take effect in February 2018.  The decision by the Australian government follows in the footsteps of other countries that have taken similar actions. The European Union, for instance, made changes to its General Data Protection Regulation. Due to apply from 25 May 2018, businesses operating in the EU must also be transparent to stakeholders if an attack occurs.

With so many legislation changes emerging in various global markets, it's wise for companies with an international interest – or intentions to expand internationally – to adhere to the most stringent of international cybersecurity regulations by making it a top priority at board level.

The human element

In addition to engaging the top executives, a company must take into account the readiness of the user population, who, unlike the board, may not have a great understanding about the importance of cybersecurity. A company that focuses on just the technology to implement a cybersecurity policy is headed for failure.

It's important to ensure businesses have a well-educated user base. Part of that involves taking the entire business along the journey, especially now that insiders are increasingly putting businesses at risk.

In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders – with three-quarters involving malicious intent and one-quarter involving inadvertent actors.

Businesses need to provide training and education programs to help users understand the importance of cybersecurity and best practice. Coming up with a strategy and writing up a cybersecurity policy is the easy part. A strategy cannot be successful or sustained if it can't be followed. A well-formed cybersecurity strategy that outlines basic cybersecurity hygiene needs to be clear and easy to understand, otherwise there would, naturally, be a push back – which is the worst possible outcome.

An approach many multinational companies are starting to use is humour as part of the education process. It's easy to have a really boring training program where everyone switches off, so making it humorous can make the training and education piece of the cybersecurity strategy sticky.

Businesses can spend a fortune on technology tools, but they're missing the point if they're trying to address security purely with technology. It has to be people on the frontline, technology in the middle, and people on the backline.

Staying one step ahead

It's always going to be difficult for organisations to stay one step ahead, especially as remote and cloud-based work becomes the norm.

It's important that businesses never get complacent. It's easy to acquire a bunch of security badges, but you need to be prepared for the constant evolution of cybersecurity and a tip top security policy needs to reflect that.

Listen your peers and see what other vendors are doing to protect themselves, and learn from their lessons when they're attacked because it's important to never let a good disaster pass you by.

Hiring professional hackers, known as white or ethical hackers in the industry, to hack your systems can also help businesses understand where their flaws exist.

New technologies such as machine learning can greatly assist in threat detection and mitigation. These same technologies also offer the chance for board members to take a holistic approach to security, so they can react and stop threats to their business environment in real-time.