Cyber Security: Looking beyond Technology
People, processes, policy and culture are crucial elements of effective cyber security
“Cyber-attacks are leapfrogging defences in ways companies lack insight to anticipate,” a recent Symantec report, which discusses the latest trends in the Threat landscape, has disclosed. Traditional cyber security defences such as anti-virus (AV) and firewalls no longer possess the capabilities to protect our personal data against advanced threats. While traditional technologies are becoming redundant, threat patterns and behaviours grow stronger.
Holistic approach to cyber security
A holistic approach to cyber security will both raise cyber resilience within organisations and deliver competitive advantage. Andrew Fitzmaurice, Chief Executive of Templar Executives, believes, “more sophisticated and coordinated attacks on the internet of things are on the horizon. Open-source codes which are widely available and free to access from the internet will also feature on threat analysts ‘watch-list’ as a key source of data breaches. To withstand these threats, it is vital businesses and organisations grow their cyber resilience”. He adds, “The best solution for businesses to protect their information will emphasise holistic cyber security. This encompasses people, processes, policy and culture supported by IT.”
Moreover, traditional defences such as AV and firewalls are failing because of pre-existing weaknesses inside ‘the castle walls’. Regardless of malicious intent or otherwise, human weakness is a fact of life.
“A survey of information security breaches by the Department for Business, Innovation and Skills highlights that people are the weakest links in the chain,” says Fitzmaurice. “It found that 58 per cent of large organisations and 22 per cent of small businesses suffered staff-related security breaches in 2014. It is important for businesses to realise the need to be proactive, rather than reactive, in order to protect themselves against the coming years’ threats.”
The bypassing of company security policies, such as emailing confidential business information to personal email accounts, is a symptom of an organisation which is not ‘business enabling’. Similarly, employees need to recognise and know how to mitigate against malicious intent or activities, such as Social Engineering or Phishing.
Training and awareness
Training is critical to raise awareness and understanding of the importance of good cyber security practice. Policies are often set and communicated without follow-up employee engagement. Leaders need to ‘finish the conversation’; explain why these policies are important, in a way that everyone in the organisation understands and is able to apply relevance to their role and the business.
Individuals need to know their accountability, and the consequences of ignorance, breach or complacency. In recent news stories, examples of consequences to businesses include crippling financial fines, loss of IPR, business disruption and damage to reputation. Added to this, future penalties for data breaches will include jail terms for all those deemed accountable.
Engagement, Training and Awareness are essential to build a culture that protects, values and safely exploits information and optimises business objectives and reputation. The need to introduce proactive, preventative measures rather than a reactive ‘patch’ approach is vital for survival in this space. Leadership is key and measures need to proportionate and appropriate. Board members need to be exemplars and upskill to develop their own knowledge and capabilities. Ensuring all employees receive the right training at the right time will help foster a culture in which good information assurance becomes ‘business as usual’. Enablers to ensure this is the established norm include: communication, management practices and organisation levers such as performance management and reward.
Organisations which demonstrate real cyber maturity will incorporate training into all aspects of business life, from the induction process to the exit interview. Employees will also reap the added value of being able to apply this learning to everyday life. Due to the interconnected nature of business, mature organisations will need to extend key messaging and knowledge sharing to their third party suppliers and contractors, in order to prevent supply chain vulnerabilities.
Companies who are able to demonstrate that they look after information will ultimately add more value to their business. This can be translated positively to the bottom line – they are more likely to deliver competitive advantage, win business contracts with the UK Government, as well as in the private sector. In addition this will enhance business reputation, customer and investor confidence, leading to increased brand value and share price.
Andrew Fitzmaurice Chief Executive