The essential mistake many organisations make with cybersecurity can be summarised quite simply by the “it won’t happen to us” mentality.
While cybersecurity may be becoming an item of increasing importance at board meetings, this doesn’t mean it’s given the full appreciation it deserves, or that board members have the knowledge required to address the challenges that come with it.
Many leaders appear to have reached saturation point on the issue. Dire warnings of online security threats have become so commonplace that it feels as though there is little else to do, other than trust in the IT department’s skills and get on with life. This is particularly true when many board members come from backgrounds rooted in other areas of expertise or risk.
But does this mean that organisations are safe or that client and supplier data is secure, payments are failsafe and computer systems and services will continue to function without problem? In a word, “no”. No one will ever be 100% secure, because no one is when it comes to cybersecurity.
While advances in artificial intelligence are increasingly cited as the next big thing for greater digital resilience, this is a double-edged sword. As systems improve, so do the criminals’ skills. This is evidenced by news of the latest hacking, ransomware and data loss, whether it relates to reported attacks on Carphone Warehouse’s data or the recent review of aeroplane-hacking vulnerabilities.
There are absolute financial and reputational risks to consider, both of which impact the bottom line. Organisations spend a significant amount of time and energy reviewing the various activities which make their work successful, ranging from product research and development through to how bad weather might disrupt service delivery. This is no different and certainly no less important.
Threats from within
The biggest threat comes from an organisation’s own people. Whether it’s through a disgruntled employee or a naïve or absent-minded worker, insider threats can destroy an organisation’s credibility in an instant.
This is heightened by poor institutional education, training and motivation. It only takes a moment for a dangerously uninformed staff member to introduce malware into a company system by sharing a corrupted USB stick between work and home.
These processes need regular review, in addition to the adoption of live policies and practices which should form the core of an organisation’s strategy. Any plan must include training and should additionally feature simulated scenarios where a company practices being hit by an online threat. Practice runs that enable board members to ask questions such as, “What would the reaction from our CEO or spokesperson be?” and “How would we communicate a cyber-breach with our stakeholders and the media?”, are invaluable in preparing for “What if?” situations.
Cybersecurity is too important to be treated as a mere operational add-on with overall responsibilities being delegated to the IT department head or the COO. It’s a corporate-wide responsibility that needs to be part of an organisation’s daily culture and fully embedded in its disaster-recovery plan.
Vulnerabilities and the Internet of Things
The way we all work, play and socialise has changed because of the new phenomenon known as the Internet of Things. This shorthand describes the online interconnection of computing devices embedded in everyday objects, ranging from office phones and fridges, through to thermostats and CCTV. It is estimated that within two years, around 26 billion devices will be connected to the internet.
On average we create 2.5 quintillion bytes of data; that’s one billion billion bytes, every day. Add to this the fact that 46% of UK businesses have identified a cybersecurity threat, and it is clear this increasing connectivity is challenging online safety in new and unexpected ways.
In this era of increasing connectivity we can all be victims, or at least targets. Too many businesses are caught out thinking: “It’s not going to be us, we are not that important.” This is precisely when the organisation becomes most exposed.
In 2016 the UK government set out plans to commit £1.8bn to the National Cyber Security Strategy, working with organisations from the private sector and public agencies to create a national Cyber Security Centre, a Cyber Innovation Centre, and an Institute of Coding.
I was privileged to meet the then chancellor of the exchequer, George Osborne, and be part of discussions which led to the opportunity to create a National Cyber Park in Cheltenham with the National Cyber Innovation Centre at the heart of it.
The University of Gloucestershire is currently leading discussions with a select group of businesses and universities to review the shape and form of this national park, and is also one of 17 universities helping graduates develop skills in writing secure software as part of the new Institute of Coding.
Organisations such as GCHQ are very good at keeping things closed, while private and public companies can too often share high-level access to internal systems between too many employees.
The trick is to remain open and accessible in a way which allows tasks to be carried out securely. This is important because hackers are not always only interested in business data. Often they want to access partners’ sensitive information, but they are increasingly interested in the high computer-processing power possessed by big business, which they can use to mine cryptocurrency.
Board responsibility
So what does this mean for boards and the steps they need to take to better protect organisations, particularly at a time when cybersecurity and data protection has never been so manifestly under the spotlight?
The ultimate answer to keeping organisations safe is to take the best precautions possible when it comes to infrastructure and people, and then be prepared to act if things go wrong. Notably, 95% of internal breaches are caused by human error. Training and education must be ongoing, because digital resilience is a process, not an event. It should be viewed as a journey that requires continuous vigilance and it has to be part of the organisation’s ongoing risk assessment.
In our quest for digital resilience the individual is our first line of defence; we should all think of ourselves as human firewalls within our organisations. It is vital to ensure systems are updated regularly, and understand that security is a continuous process. Your neighbour could be the weak link, so help them. Share good practice amongst top teams and throughout the organisation, and have a plan for when it all goes wrong.
Cybersecurity knowledge and expertise is becoming a requirement or at least an expectation of the majority of directors. At the University of Gloucestershire we provide training at both employee and executive level, with introductory courses providing an overview of cybersecurity, including the different motivations and methods of “threat actors”, details on why an organisation might be targeted, live hacking demonstrations and improved security behaviour guidance.
Our executive sessions equip the C-suite with an understanding of cybersecurity roles and responsibilities. The most important difference between the two levels of training is that senior participants explore the governance behind cybersecurity, and learning places an emphasis on their ability to respond effectively if the organisation experiences a breach.
Ultimately, board members need to take responsibility and ensure that their cybersecurity plans are detailed and well informed by security executives.
Directors place themselves and their organisations at risk by failing to consider how their actions will support organisational objectives and strategic success.
Professor Kamal Bechkoum is head of business and technology at the University of Gloucestershire.