DEMYSTIFYING CYBERSECURITY: going back to basics
Executives, board members and security professionals who are tasked with enterprise risk management are constantly bombarded nowadays with cybersecurity news concerning new forms of attack perpetrated by both novice and sophisticated assailants, from state sponsored cyber criminals to malcontent employees.
These criminals are exploiting vulnerabilities in Information Technology (IT) systems and networks that were not designed to withstand this constant and repeated probing. The CERT Notes Database, which is maintained by Carnegie Mellon University, contains information regarding 3374 vulnerabilities that have been exploited by attackers. (1)
This trying environment is compounded by continuing advances in the digitalization of business processes and the growing complexity of networks and it challenges executives and security professionals, to find the right balance between facilitating business processes and the effective protection of critical digital asset.
SECURITY BEFORE 9/11
We all remember too well the state of many of our security programs before 9/11 and how quickly we had to adapt to the new reality, developing security management systems that promoted the planning and integration of security elements into business processes. As a result, security became a source of value creation for many organisations, and in some cases, even a competitive advantage.
CAUSING A SHIFT IN SECURITY
This transformation was, in our view, facilitated by three strategic components. We believe that these same elements can also benefit cybersecurity today, in adapting to its new reality:
- A shift in governance, positioning security as a core value, which was led by CEOs and complemented by the development of security management systems.
A greater awareness and understanding of security risks among employees and stakeholders, which fostered greater collaboration, through enhanced communications.
Investments in resilience, not only to manage expected or known events, but also to prepare and respond to the unexpected.
THE TONE IS SET AT THE TOP
People pay attention to what leaders pay attention to! An effective and efficient cybersecurity program must be championed by the CEO and the executive branch. If it is important for the CEO (and the Board) then cybersecurity will be important for everyone in the company. Although we may think that this would be the norm for most major organizations, recent statistics would tend to indicate that this is not the case yet.
Indeed, the World Economic Forum has conducted a survey in 2014 where researchers found that less than 5% of major companies or organizations had a mature or robust approach for identifying, assessing and managing cyber risks. (2)
The growing complexity of our networks, the advances in the digitization of commercial processes and the internet of things generate both opportunities and risks. It’s on the basis of the inherent risks linked to this new dynamic environment, that the cybersecurity program should be designed and not from the availability of new technological security tools. (3)
As suggested by the authors of “Beyond Cybersecurity: protecting your digital business”(4), cybersecurity must move from the domain of technology and controls, to the realm of governance, risk management and business processes. Indeed, we believe that technology must become an instrument, rather than a driver of the cybersecurity strategy, similar to how we use physical access controls, locks, CCTVs and alarm systems, to secure our physical environment and assets.
The root cause for many of the successful cyber-attacks that made the news in recent years can be traced or linked, for the most part, to human factors. A report published by Baker Hostetler in 2016 estimates that at least 24% of all cyberattacks were caused by employees’ errors. (5)
Accordingly, employees and stakeholders’ buy-in and contribution are indispensable if we want our cyber security strategy to succeed. Employees must recognize and understand the role they play in protecting the company digital assets, just like we expect them to protect other physical, financial and high value goods. Cybersecurity, just like traditional security is good business and it needs to become everyone’s business.
AWARENESS: CHANGING EMPLOYEES' BEHAVIORS TOWARD CYBERSECURITY
Employees not only pay attention to what leaders pay attention to, but also to what is measured, tracked and assessed. Providing training and raising accountability by including security in the formal performance assessment process, could go a long way in protecting companies against attacks that are perpetrated and facilitated through poor cybersecurity hygiene and non-compliance with standard procedures.
Furthermore, employees are more likely to comply with security procedures when the threats and the consequences of their actions or inactions, are clearly explained. Based on this awareness, employees will also be more receptive to the presence of controls, especially if we can provide them with the right information in real time, when they require guidance and assistance.
THE TONE IS SET AT THE TOP
Indeed, pushing the right information to the right person in real time will empower employees and partners to make the best possible decision at the right level, in order to accomplish the tasks that have been delegated to them, in compliance with legal requirements and corporate procedures.
Having said this, cybersecurity risks cannot be totally prevented or eliminated. In this context, the shift in governance and the increased awareness must be accompanied by the development of a resilient capacity to respond to incidents and emergencies, regardless of vectors and hazards. (6)
2. Obtained in February 2017 from: http://www3.weforum.org/docs/WEF_RiskResponsibility_HyperconnectedWorld_Report_2014.pdf
3. Kaplan, James « et al » (2015), « Beyond Cybersecurity: protecting your digital business », John Wiley & Sons, Hoboken, New Jersey (digital edition)
4. Kaplan, James « et al » (2015), « Beyond Cybersecurity: protecting your digital business », John Wiley & Sons, Hoboken, New Jersey (digital edition)
5. Obtained in February 2017 from: http://f.datasrvr.com/fr1/516/11618/BakerHostetler_2016_Data_Security_Incident_Response_Report.pdf
6. Weick, Karl and Sutcliffe, Kathleen (2015), « Managing the unexpected: Resilient performance in an age of uncertainty, 3rd edition». Wiley, New Jersey, p. 12
PROMOTING COLLABORATION & FACILITATING COMMUNICATION
Security and cybersecurity are no longer the domains of a few experts and specialists. Ideally, security should be positioned as a corporate value, that extends to all employees, by promoting collaboration and facilitating communications. In today’s world, resiliency may well constitute a competitive advantage and a mean to sustain and pursue the mission of our organizations, in the face of the constant and rapid changes in the risk environment.
Our effectiveness in responding to crisis and emergencies is invariably assessed by the speed and accuracy of our actions. This is especially true when one considers the current statistics concerning the average incident response time for cyberattacks. As zero-day vulnerabilities have now become weekly occurrences (7), our readiness to respond, recover and resume will become even more important than it is today.
7. Obtained in February 2017 from : https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf?aid=elq_&om_sem_kw=elq_16917618&om_ext_cid=biz_email_elq_&elqTrackId=283a3acdb3ff42f4a70ab5a9f236eb71&elqaid=2902&elqat=2 in February, 2016
In this context, it’s almost impossible for any company or organization to protect itself against all known and unknown forms of attacks. However, we can build a capacity to respond, react and manage any incident or attack by promoting collaboration among our workforce and partners and by leveraging widely used technologies, such as smart phones and applications (APP).
These new technological tools allow employees and stakeholders to access response plans and critical information in real time, using a secure APP on their mobile device. The APP can also enable the transmission of “mass notifications” to employees and stakeholders, providing them with guidance, while receiving communications from them based on their locations, roles and need for help.
These technologies can also automatically facilitate the confirmation of the actions taken by employees and even communicate with them directly by phone or even text messages, simply by clicking on their profile at the control center.
Technology as a mean and not as an end, can effectively and efficiently complement the cybersecurity strategy developed by organization’s leaders, while supporting and encouraging employees and stakeholders’ contribution, for the protection of valuable digital resources, in a collaborative fashion.
Founded in 2008, Cobalt brings together a team of experienced business continuity and technology specialists. We work closely with companies of all size around the world to build resilience, help them manage incidents and security risk, and accelerate their response.
Cobalt is a software as a service (SaaS) platform designed to help you manage everything when the unexpected happens. Make sure that all your employees or customers are safe when any incident happens. Track every step of an incident or contingency plan. Keep your business running without skipping a beat.
For more information, please visit our home page.