Cybersecurity progress will require speaking the right language
Elizabeth Denham, the UK’s information commissioner, made an astute point when she recently called for senior bank executives to get the same cybersecurity training as front-line staff, following the global WannaCry ransomware attack. But implementing the kind of comprehensive cyber defence strategy which includes such training will require a monumental culture shift at the top.
According to a UK government survey of over 1,000 UK businesses, 69% categorise cybersecurity as a high priority. This is a promising figure, but also one which is riddled with significant flaws. The most important of these is the huge disparity between the number of firms which assert cybersecurity as a high priority and the number which actually treat it as one. In the same survey, seven out of ten business admitted they had no formal, written cybersecurity policy. Nine out of ten attested to the lack of a formal incident management plan at their firm.
This is extraordinary when you consider that cyberattacks have become the number one threat to modern business, leaving a $500 billion bill for the global economy, at an average cost of $3.8 million per breach, according to Microsoft. To add insult to injury, the median amount of time that an attacker resides in a network before detection is 146 days.
However, despite this financial risk and exposure to malicious intent, company boards have been slow to adopt to the leading role that is required.
Often, this lack of direction is driven by the misguided perception that system security is an issue confined to the IT department. Boards expect their CIO or CISO to resolve these problems, and move on to focus on operational objectives.
But how can we incentivise any meaningful culture change in the people who, by the definition of their position, have been in the industry the longest? The answer lies in speaking to company boards using the language they will understand.
One sure way to do this is to state the following: an effective cybersecurity strategy will benefit the company’s balance sheet. When companies decide who to do business with, risk is always a pivotal factor, and so the better your security, the more attractive your services are. Since board meetings are often directed towards strategy, presenting cybersecurity in terms of financial risk and reward makes it an integral part of a business plan, rather than just being a periphery issue. Fundamentally, safety of operations can help you grow market share as your firm becomes a low risk option when compared with competitors.
The impending conflict between inept cyber plans and new regulatory mandates exacerbates the problem of the lacking board response. The implementation date for the EU’s General Data Protection Regulation (GDPR) is now just over ten months away. Leaving the nitty gritty of what this entails aside, board members need to be aware that holding vulnerable customer data could result in a hefty fine being slammed on the table: either €20 million or 4% of the company’s global turnover, whichever is greater. Tell that to a CFO and the message will hit home.
Furthermore, cybersecurity apathy can be reduced by ensuring board members share their experiences with industry peers, raising awareness of the threats firms may be exposed to. Knowledge is key, and so if people understand the huge impact that a data breach can have, then they are much more likely to implement appropriate preventative measures and response plans.
The board’s knowledge of what is going on in their industry will no doubt be increased as GDPR sets in and fines become public knowledge. Nevertheless, healthy industry dialogue can act as a more constructive and more in depth approach. Once boards come to realise that we are swimming in a cesspool of criminality, they will take note.
Acting on these points would push boards to ask the right questions. Do they have a functional cybersecurity strategy that incorporates protection and detection capabilities as well as response plans? Have they checked whether they can actually execute their response plans in real-time scenarios? Have they run due diligence to ensure no data is left vulnerable by third-party, partner companies?
Once such questions are answered, companies will develop a clear cyber defence culture. This will not just make the data more secure in the short term. It will engender a spirit of vigilance throughout the workforce so that everyone is on the lookout for potential weaknesses, allowing solid cyber defences to be routinely built into operational structures. After all, once your boss cares about something, it is immediately in your interest to care as well.
By Brian Stapleton, MD, global investigations and strategic intelligence practice, Berkeley Research Group (BRG)