As Russia’s invasion of Ukraine continues, there has been heightened concern that the conflict will unleash an accompanying wave of fresh cyber attacks on businesses throughout the world.
While companies strengthen their systems and preparedness during this period of geopolitical uncertainty, it is important to recognise that cybersecurity is vitally linked to all business risk and success.
Most recently the discovery in Ukraine of a “wiper” malware, a denial-of-service attack, which paralyses websites by bombarding them with information requests, has accelerated a rush by businesses worldwide to bolster their defences against cyber threats.
Other recent alleged Russia-linked cyber-attacks have included targets ranging from government services and transport hubs through to private corporations, hospitals and energy pipelines. As a result, all organisations should be increasingly vigilant over the coming days, weeks and months.
Cybersecurity is too important to be treated as a mere operational add-on. It’s a corporate-wide responsibility that needs to be part of organisational culture and fully embedded in disaster recovery plans.
Boards and corporate leaders too often look to IT for a solution, but it is vital to work closely across the organisation and act with unified purpose. On average we create 2.5 quintillion bytes of data—or one billion billion bytes—every day, and it is clear this increasing connectivity is challenging online safety in new and unexpected ways.
This necessitates formal approaches to ensuring networks, computers, mobile devices and software are all regularly updated, access to sensitive data and passwords is secure, and staff are aware that phishing attacks may increase and are trained to respond appropriately.
These processes need frequent review, in addition to the adoption of live policies and practices which link to the core of an organisation’s strategy. Plans should include training and simulated scenarios where a company practices being hit by a major online threat.
Test runs enable board members to ask questions such as “What would the reaction of our CEO or spokesperson be?” and “How would we communicate a cyber breach to our stakeholders and the media?”
Training and education
In this era of increasing connectivity and global threats we can all be victims. Too many businesses are caught out thinking “it’s not going to be us, we are not that important”. This is precisely when the organisation becomes most exposed.
The ultimate answer to keeping organisations safe is to take the best precautions possible when it comes to infrastructure and people, and then be prepared to act if things go wrong.
Some 95% of internal breaches are caused by human error. Training and education must be continuous as digital resilience is a process, not an event. It should be viewed as a journey that requires continuous vigilance and has to be part of the organisation’s ongoing risk assessment.
Share good practice amongst top teams and throughout the organisation—your neighbour could be the weak link so help them—and have a plan for when it all goes wrong.
Cybersecurity knowledge and expertise is becoming a requirement or at least an expectation for the majority of directors. At University of Gloucestershire, we train both employees and executives to deliver overviews of cybersecurity, the motivations and methods of “threat actors”, details on why an organisation might be targeted and live-hacking demonstrations and improved security behaviour guidance.
Ultimately board members need to take responsibility and ensure that their cybersecurity plans are detailed and well informed by security executives. Directors place themselves and their organisations at risk by failing to consider how their actions will support organisational objectives and strategic success.
Professor Kamal Bechkoum is head of the school of computing and engineering at the University of Gloucestershire.