Your company will be, or has already been, hacked. There is no avoiding it. The question is; who in your organisation is responsible for ensuring cyber security?
More and more organisations are falling foul of cyber security breaches. A cyber security attack can range from accidentally downloading malware (virus, worm, Trojan horse, etc.) through targeted Distributed Denial-of-service (DDos) attacks, to organised cyber crime (think online fraud from criminal gangs and the cyber espionage from nation states that you see in the movies). Statistically speaking, it is highly likely that your company has been hacked. In the 2014 Information Security Breaches Survey from the Department for Business Innovation & Skills, 81% of large organisations reported having a security breach, with an average cost of their worst security breach being £600k-£1.15m.
The challenge for most organisations is how to keep up with the myriad of required actions to effectively run a resilient security program. Let’s consider the simple question above. Who is responsible for protecting your organisation from cyber security threats? My bet is that when most people consider this question the majority think of computers and then they think of the IT department.
Cyber Security (including information, system, and network security) has long been the preserve of the CIO and the IT department. Maybe throw in a little bit of Physical Security too as we can all appreciate that it’s no good having a secure laptop that a bad-guy can pick up and walk off with.
Great, say most of the business. We’ve got lots of competent people in those departments to protect out digital assets. We’ll be well protected. However, I ask you, is that enough?
One of the cyber security issues that made recent mainstream news media was the hacking of USB drives, known as BadUSB. The underlying software used in almost every USB connection can be changed to make any computer you plug the USB into do almost anything that the hacker wants. All they need is access to the USB device. That is every USB that you could plug into your computer: phones, a wireless mouse, not to mention the memory stick that Bob from accounts found in the pub last Friday and thought “oh yea I need one of those”. The solution to this problem in my view is not a simple, but heavy handed, blanket ban on all and any USB devices. Instead, a more reasonable solution is to educate the workforce to understand cyber security risks and realise that they can’t just plug anything into a secure network.
What about phishing; unsolicited emails that encourage recipients to click on malicious links that download nasty computer gremlins, or convince an innocent user to disclose secure information. There are only so many technical controls that can be put in place to defend against phishing attacks (such as blocking websites that the emails link to). The simplest way to stop them is for users to stop and think before doing what an unsolicited email tells them to do.
One of the enabling mechanisms that we consider when designing an Operating Model is culture, embedding cyber security into an organisation’s culture has the potential to help with many of the threats identified above. Culture runs through every area of an organisation and is arguably much more permanent than a standalone programme or an initiative. Culture though; who is responsible for that? Perhaps not the technical computer wizards in the IT team….
When something does go wrong, what do you and your fellow employees do next? What happens if you’ve lost a laptop with your customer database on it and the password is 123456 (this was genuinely the most common password used last year)? Does your PR department have clear guidance on how to respond publicly to a DDOS attack at 3.30am on a Saturday morning? Who in your company decides what level of cyber risk is acceptable, or which known vulnerabilities are and are not going to be patched? Essentially what I’m getting at here is that an organisation needs a robust governance framework to deal with cyber security events and clear guidance so that employees know what to do in a given situation.
Clearly the staff in the IT department can’t be solely responsible for some of the many examples noted above.
So what is the answer to the question: who in your organisation is responsible for ensuring cyber security? If you haven’t got it by now … the answer is that you should. You and everyone else who works in your organisation have a role to play in ensuring cyber security.