Once upon a time, cyber security had a clear division of labour: Employees used the computer network to conduct their daily business and the IT department ensured the network was clear of hackers and viruses. The issue was largely a technical one, with a focus on plugging the holes cyber criminals could potentially exploit. And big corporations generally invested more into organizational cyber security because the likelihood of a breach was higher than a small- or medium-sized operation.
But old perceptions die hard and, unfortunately, that outdated viewpoint persists to this day.
As we touched on in the first installment of this series, cyber security is now an organization-wide concern. Everyone plays a role in protecting the business. And while there are certainly technical aspects to a comprehensive cyber security strategy, that’s only one piece of a much larger puzzle. Perhaps most importantly though, no organization – big or small – can afford to assume they’re threat proof.
Let’s dig deeper.
Old Viewpoint: Cybersecurity is a technical problem
Certainly, there is a lot of technical jargon thrown around in the cyber security conversation. We often speak of firewalls, anti-virus and anti-malware programs, encryption, multifactor authentication and control framework acronyms like PCI-DSS.
There’s no doubt these are critical features of an effective cyber security strategy – and often required by regulators, banking institutions and business partners. But even the most rigorous technical controls fall short without their non-technical elements.
Hiring Practices – The weakest point in any cyber security strategy is human ignorance and / or negligence. Businesses want to employ security-minded staff members who are aware of their role in protecting proprietary, employee and customer information.
Policies and Procedures – Whether a chainsaw or a cyber security control, every tool has specific use instructions to ensure its optimal effectiveness. Organizations must clearly outline what these instructions are, why they’re important and the consequences for deviating from them.
Training Programs – A comprehensive cyber security program is completely ineffective if staff members lack the skills, awareness and practice to follow the rules and know when to report suspicious activity. Effective cyber security coaching, learning opportunities and onboarding practices are essential.
Service Provider Contracts – Another weak point in any cyber security program sharing information and access with other companies. These service provider companies must have the same rigorous focus on adequate controls, policies, procedures and training. But there also needs to be a clear understanding of who is responsible for what and how to avoid misunderstandings and finger pointing if something goes wrong.
Program Governance – The cyber security program needs to fit the business context, strategy and risk appetite and facilitate clear and effective communication from executive leadership to operational management.
Public Relations and Legal – With increasing threats, regulations and public expectations, businesses must also be prepared to communicate effectively and comprehensively with the media, government, courts and external stakeholders about their cyber security program.
A New Viewpoint
Cyber security is a business problem
Old Viewpoint: Cybersecurity is about preventing an attack
Every business faces a dilemma when designing their cyber security strategy: the more features added, the more vulnerable the business is to a cyber attack.
Consider the first personal computers. These standalone units didn’t have internet access and were, by todays standards, largely immune to cyber crime because of a limited number of ways a person could gain access. Contrast that with today and the virtually limitless (and growing) number of applications, wireless networks, websites and peripheral devices business’s use at any given time.
A good analogy for working in cyber security today is plugging holes in a leaky dam. With each hole sealed, several new programs, platforms or devices come on the market to spring several new ones – creating new vulnerabilities and adding new risks.
There’s a saying in the cyber security profession that complexity is the enemy of security. Businesses need to balance their desire for the latest, most functional technology with the need to protect their information. While strategy and expertise can reduce the probability of a breach, prevention will always be a game of technological cat and mouse.
Public Relations and Legal – With increasing threats, regulations and public expectations, businesses must also be prepared to communicate effectively and comprehensively with the media, government, courts and external stakeholders about their cyber security program.
A New Viewpoint
Cyber security is about risk management
Old Viewpoint: Cyber attacks only target big businesses
Recent news reports of cyber breaches would have most businesses think it is only large, multi-national corporations and governments being targeted. But that’s a dangerous assumption. Because while those are the most buzzworthy stories which have the potential to affect the largest number of people, it doesn’t mean they’re the most common.
Cyber attacks happen to organizations of all sizes and industries – from corner stores to charities to conglomerates. Verizon releases a report of roughly 70,000 reported cyber security incidents which they’re contracted to remediate each year. But perhaps hundreds of thousands more go undetected, unreported or are remediated through another service provider. This issue is clearly bigger than the Fortune 500.
In fact, thinking like a cyber criminal, it may make more sense to target smaller businesses who invest less in their cyber security programs. The payout in terms of information or financial incentive would be lower, but so is the effort and technical skill required. That means more time to target more businesses. It also means a lower likelihood of detection and reporting, and therefore a lower likelihood of being caught.
Too many companies think, “cyber security breaches are what happens to some other company, not us.” But then, everyone thinks it won’t happen to them, until it does.
Public Relations and Legal – With increasing threats, regulations and public expectations, businesses must also be prepared to communicate effectively and comprehensively with the media, government, courts and external stakeholders about their cyber security program.
A New Viewpoint
Everyone is a potential target of cyber crime
Tomorrow’s technology is shaping business today. To learn more about how MNP can help you build an effective cyber security strategy, contact Jason Murray at 647.333.6241 or [email protected]