As part of our Business Leaders in Tech series study, we have been interviewing business leaders over the last 2 years to understand their top technology challenges. In 65% of our interviews conducted, Cyber security has been raised as one of the top challenges facing business leaders in 2021. This blog aims to address some of the concerns that business leaders have shared with us, and guide C-Level Executives on the journey to reduce their cyber security risks in 2022.
One of the toughest hurdles a C-Level Executive can face is not only understanding what their Cyber Security risks are, but also translating this to the boardroom to understand the importance of Cyber Security. One of our favourite phrases "You don't know what you don't know" is especially applicable to the cyber security space due to the complexity and evolution of cybercriminals becoming increasingly mainstream, which makes the effort to keep up with them all the more exhausting.
If somebody really wants to hack your organisation and has the right tools, talent, and time, they will! The objective is to build preventative measures to reduce vulnerabilities and exposure to make the cybercriminals life more difficult.
Understanding your attack vectors is the first step towards minimising your cyber risk. In general, there are 3 main hacker groups that you should be aware of. Trying to gauge what group is looking to attack your business and what they would be looking to achieve if they were successful will be a valuable investment for your business's future strategy.
Organised Crime – This is the biggest threat to your leadership team, organised criminal gangs or individuals looking to use your data, systems, and technology platforms as a ransom to extract money from you and your business. Rarely personal or political, just straight-up cash extortion techniques.
Nation-States – the sole purpose of delivering highly sophisticated industrial style espionage, sabotage, and ransom attack style operations will look to manage a list of target names, countries, industries as per the nation state's current agenda.
Hacktivists – These groups are hard to predict the type of target they go after but effectively these are self-styled cyber warriors that go after political, organisational, or individual targets to further their "activist" agenda.
Ensuring your board is educated enough and aligned is crucial to know what you and your team are protecting yourself against and developing an efficient security strategy that does not cost you a billion dollars! Once you understand what you are protecting yourself from, you can then realise the impact it may have on your organisation.
Now you have identified what you are trying to protect yourself against, you now need to know the effect a successful attacker can have on your organisation. A data breach could have an everlasting long impact so identifying what the key areas of impact a successful breach could have, is essential to establishing a Cyber Security strategy.
No access to business systems – This could have a huge impact on operational productivity – with staff being unable to work or service your clients. This comes with a risk to both your finances as well as your reputation.
Data loss – From the loss of intellectual property or damage to the brand reputation, you also have a risk of legal implications if the data is personal.
Hidden costs – Costs can accrue from incident forensics investigation, legal, PR and increased cyber insurance premiums.
Without intervention, the chances of a breach occurring becomes a case of not ‘if’ but ‘when’ - whether internal or external - all businesses should have a framework in place to respond to this.
Developing a breach response plan and building a business continuity framework will be a key component towards effectively managing a cyber security incident.
Firstly, most security professionals will advise you to “Don’t Panic!” but that is difficult when in a crisis. Planning ahead is the best advice! Understanding your Business impact Analysis in terms of recovery point objectives and recovery time objectives will help leadership teams make decisions around what critical data points are the most important to the business and how much impact they would cause in data loss. Having a super-strong backup auditing capability and enterprise-level disaster recovery strategy (that is tested regularly) is an essential component to your disaster recovery policies. Knowing that the policy is documented and tested through your business impact analysis can bring you and your board peace of mind.
Responding to a cyber incident will require some level of forensics and media/client management. Having a team of experts that you can call upon to help rather than googling around trying to find someone will definitely pay dividends; whether they are completing a post-mortem to understand the root cause of the problem or trying to build a plan to reduce the risk of it happening again.
It is granted that needing a strong technical skillset is a necessity but, having a team that can help with the media management – whether that is engaging with the ICO, building a PR campaign, or dealing with your cyber insurance is also essential, and a key step towards reducing your business impact for a security incident.
When you inevitably at some point will have to respond to a security incident, understanding whether you have invested your security budget in the most efficient way will be a question that will be raised at your next board meeting.
Finding a way to know if your security budget is being spent in the most cost-effective way is of great importance allowing you to understand exactly where your money is being spent. Most businesses will overlook things like having a security policy document, regular user training, MFA, and vulnerability assessments. The sad truth is most of the core basics are where people get hacked through tools such as remote access trojan, phishing attacks and so on.
We find that having an overworked IT department that does not have the time or the exposure to following industry best practices that really make the difference or having a below-par IT vendor that does not have the pedigree in this space seems to be an area that C-Levels should look at when trying to work out whether they are investing their security budget correctly.
There are many buzzwords that can be thrown around when it comes to cyber security - SecOps, SOC, Manage Detection and XDR. But do you know what any of it means? Knowing the difference between these offerings will help you make the correct choices to suit your business needs.
Board-Level executives often overlook the importance of cyber security - or they simply do not understand the technical aspects making it increasingly difficult to make informed decisions. Senior members of staff are held accountable when security breaches occur - In 2014, the Target CEO, after spending 35 years at the company had to resign due to a credit card security incident that affected 40 million customers
Organisations that perceive IT to be accountable for cyber security will see this as a mistake in the future - as this is something for senior-level executives to be accountable for. This is one of the main strengths in frameworks like ISO 27001 as they try and ensure there is accountability and communication from low level IT all the way up to board level.
A few questions that you should be asking at your next board meeting?
We set out to demystify Cyber security and help business leaders identify how to find smart and efficient ways to reduce cyber security risk. If you are interested in getting some of these concepts into your organisation, please see the link below to book a session with one of our specialists.
Click here to book your free cyber security workshop