Forget hackers – Look within to find your greatest cyber risk.
Adverse cyber incidents are occurring with monotonous regularity and are routinely reported in the media. With the list of mega-data breaches increasingly looking like the ‘whose-who’ of the corporate world, what chance do you really have in your business when it comes to the protection of valuable information assets?
While the rapidly evolving digital landscape is fuelling opportunities for businesses, this rapid churn also elevates the risk of an adverse cyber incident – whether self inflicted or from an external actor.
Data breaches and adverse cyber events continue despite organisations having access to the best IT systems, cyber security products, world class IT security consultants. Why?
With a rising proportion of adverse cyber events causes coming from within the organisation – some say in excess of 60% – (hacks or data breaches arising from human error, lack of training, staff dissatisfaction etc), let’s explore some of the key non-IT factors affecting this landscape.
Leadership and Culture – essential ingredients for effective security
It does not take a rocket scientist to know when you’re working in an organisation that is its own worst enemy.
Organisations characterised by poor staff engagement and satisfaction, adversarial cultures, conflicted and inconsistent decisionmaking, chronic inefficiency, revolving door of part timers, contractors and managers, lack of internal collaboration, continual state of crisis or ineffective leadership are fertile grounds for adverse cyber events.
As individuals, we constantly have to log into numerous systems such as internet banking, social media, or government services.
At work, our staff, customers and suppliers also need to log into to a range of business systems in order to do their jobs.
The result is ‘login fatigue’ or ‘password overload’.
This can be particularly challenging for large organisations, which often have to juggle a variety of internal systems and external websites – each with their own login credentials with varying degrees of password / credential strength.
The result: Individuals using common passwords across multiple systems.
Suffering an identity crisis?
Organisations that have tried to integrate identity management and access controls to a ‘single sign on’ capability across all systems soon realise that this is hard to do and hard to maintain effectively without added cost and risk.
Given the hybrid architecture of IT systems spread across organisations (e.g. mix of on-premise, externally hosted, cloud-based or mobile environments), ensuring that the underlying IT systems all play nicely together is a constant challenge. Additionally, ensuring that every individual has the right access at the right time can be a technically exacting and logically complex task.
From a business perspective, gaining clarity over ‘who should have access to what parts of which systems, when and under what situations’ – especially in federated environments is no trivial matter.
Adding to this is the constantly changing needs of the business often translates into multiple individual exceptions to predefined Role Based Security (RBS) controls. If not effectively managed, the overhead associated with ensuring effective security controls based on a complex set of exceptions needs to be recognised.
Hey partner, my pain is your pain, too
Organisations are increasingly reliant on external suppliers and partners to develop, deliver and operate the technologies on which they depend.
Having inconsistencies across your organisation’s technology ecosystem and that of your key suppliers needs to be identified and addressed.
The analogy that ‘a chain is only as strong as its weakest link’ applies. Act on evidence not opinion if it is important to your organisation – then test again tomorrow, as nothing remains constant for long in our rapidly changing digital and business ecosystem
Here are a few pointers that need to be considered to minimise the risk of an avoidable adverse cyber incident damaging your organisation, its customers or shareholders:
1. Integrate IT security with business processes
When IT security is seen as the job of IT and the business’ job is to run the business the result will elevate the business risk of an adverse cyber incident.
By integrating IT security applications within and across business processes, the context and behaviours of system users will be better understood. This will improve the detection and actioning of unusual events by the business, with the help of IT.
2. Build a culture that demonstrates the right amount of collaboration.
Not every organisation is the same. The fine art of defining and implementing a corporate culture is context and situationally specific.
For example, the collaboration that underpins the air traffic control operations at a major airport are clearly defined in operating procedures, requiring specialised skills. On the other hand, for a tech startup, collaboration has a completely different meaning. Bottom line: Define and work towards exhibiting the appropriate collaboration behaviours across your organisation.
3. Don’t ‘train’ people on IT security: Demonstrate competence please.
If training means sending people on a course and they come back with a certificate, then think again when it comes to applied cybersecurity in your organisation.
Recognise that ‘Security awareness’ training is a necessary but insufficient condition for effective cyber protection for your organisation.
Implement competency and evidence based security training so that all understand and can demonstrate their understanding of security measures as they relate to your organisation and their individual accountabilities. Staff need to demonstrate competence in the use of the relevant cyber security tools and business processes.
4. Discount individual incentives for security events – across the board
For organisations that have a high cyber risk profile or compliance load, how would the across-the-board reduction of individual executives, managers and staff incentives in proportion to the number or severity of adverse cyber incidents affect their focus on enterprise-wide cybersecurity?
Would it also contribute to the fostering of inter-departmental collaboration and ‘skin in the game’ when it comes to balancing short term business needs with security?
If cyber security is important for your business and it’s someone else’s job, this will be your starting point. After all, if you’re all ‘in the same boat’ there should be a common goal and shared self-interest in ensuring effective cybersecurity measures – both technological and behavioural.
5. Clarify cyber security accountabilities
Given the high prevalence of Shadow IT, it is important that the accountabilities for the use of convenient, localised cloud or other technologies be clearly defined and followed. Ignoring or suppressing Shadow IT should not be the default position.
The challenge facing business and technology leaders lies in striking the right ‘settings’ for information security in a constantly changing environment – and in many cases this has little to do with technology per-se.
Question is: What’s the best approach for your organisation?