The recent global ransomware worm, infecting more than 250,000 computers in 150 countries and as many as one in five of all NHS Trusts in the UK, is proof of the disruption that a cyber attack can bring to an organisation.
Nick Coleman, global head of cyber security intelligence at IBM Security, hopes that those in the C-suite can learn from the events of recent weeks and take the risk of cyber attack seriously. But here’s the thing, why should it take such an event to get the C-suite sitting up and taking the cyber threat seriously?
Cyber security concerns
Darren Thomson, chief technology officer and vice president at Symantec, says recent breaches have made it evident businesses of all sizes are failing to implement integrated, holistic security programmes.
“Organisations often claim to be keen to invest in data-breach prevention, but in reality, operating a standalone project does not solve the complex cyber-security challenges businesses face today,” says Mr Thomson.
“Our State of European Data Privacy Survey revealed only 14 per cent of IT executives and decision-makers believe that everyone in an organisation has the responsibility to ensure that data is protected.” What the other four out of five think should be seriously worrying to all organisations.
Brian Lord, managing director of PGI Cyber and the former deputy director of GCHQ in its intelligence and cyber operations division, blames “excessive scare sales tactics and incoherent advice over real focused business risk, supported by huge prices for solutions” for a C-suite decision-making paralysis. It’s a paralysis often only broken by a breach.
I’ve seen multiple breaches in the same organisation
David Emm, principal researcher at Kaspersky Lab, agrees that the board “needs to understand the core issues surrounding security and that there is executive buy-in to the measures needed to secure the company”. This is, after all, what makes the job of the chief information security officer (CISO) so important. They act as a bridge between the board and the IT department.
How to engage at this level, then, becomes paramount. Quentyn Taylor, director of information security at Canon Europe, has a good point when he says to properly engage with the C-suite “you need to put the risk in terms they understand and that link to competencies they will engage with”.
Martijn Verbree, cyber security partner at KPMG, agrees that it’s all really about improved communication. “The board will often talk in business speak while the cyber team will talk in tech speak,” he says. “Both sides need to know what is the organisation’s risk tolerance, which things are top priority to protect and how well developed are the company’s defences.”
All this said, does becoming a victim usually lead to the implementation of security measures that should have always been in place though? Amanda Finch, general manager of the Institute of Information Security Professionals, says CISOs and security teams that have been through a serious breach are more confident in dealing with these occurrences and take a more flexible and pragmatic stance towards risk management and prevention.
“First-hand experience of crisis management helps to be better prepared to deal with future breaches both at CISO level and in the way they work with the board to set up the dependencies and information flows upstream,” she says.
Greg Day from Palo Alto Networks sits on the UK National Crime Agency steering committee. Mr Day is adamant that any significant cyber incident should always lead to learnings and improvement; the question should be by how much? He says: “When an attack does get through and a business becomes a victim, the organisation must ask why didn’t we see it quicker?”
However, this is not always the case. Dr Guy Bunker, senior vice president at cyber security company Clearswift, says: “I’ve seen multiple breaches in the same organisation, so evidently what they do after the first breach is not always enough to drive up security to prevent the second and subsequent breaches.”
So what is enough?
While there is no cyber-security silver bullet, Bharat Mistry, principal security strategist at Trend Micro, has put together a checklist of essential threat mitigation options:
01 Make sure cyber security is a board-level concern, and cyber risks should be reported and treated as any other business risk.
02 Cyber security is not just the responsibility of the IT department; stakeholders from all areas should be involved.
03 Undertake a cyber-security maturity assessment to identify holes in your current cyber-defence strategy and initiate a programme to remediate; this is not just a technology problem, it’s having the right skills and processes.
Terry Greer-King, director of cyber security for Cisco UK, Ireland and Africa, thinks the whole debate could soon become moot anyway, courtesy of the European Union General Data Protection Regulation (GDPR).
“If a cyber attack doesn’t get leaders to sit up, GDPR will force them to,” he says. “Data breaches of the most important provisions could lead to fines of up to €20 million or 4 per cent of a company’s global annual turnover.”
Indeed, GDPR specifies that organisations have to appoint a specific data protection officer, who is distinct from a risk officer and all IT functions that currently exist. “It’s a role that has to sit outside IT and outside the boardroom to have the independence to ensure the business adheres to the regulation,” Mr Greer-King adds.