March 22 2021
Cyber-attacks continue to grow and it’s only a matter of time before your company becomes a target. But where should the responsibility of protecting your business lie?
For many companies, cybersecurity is seen as a technology issue and therefore sits firmly in the remit of the IT department and the IT Director. After all, they are responsible for the design, implementation and protection of the company’s technology infrastructure, and as such are perfectly placed to deal with the threats to the business as a whole. Or so you would think.
The problem comes when you consider business objectives and priorities. For IT teams, maintaining organisational networks and supporting staff issues is key. Yes, security is always a concern, but in the face of organisational pressures and productivity targets, it can often slip down the priority list.
IT and information security: the distinction
Whilst IT and cybersecurity overlap, they are two very different disciplines. Take the response to a ransomware attack for example.
In this scenario IT would be primarily concerned with restoring systems from backups, investigating the causes and putting in place measures to stop that particular attack happening again in the future. Job done. But what if the next attack uses a slightly different method? You’re vulnerable.
In the same scenario an internal security professional would have a response plan in place. They would look to contain the attack and investigate any potential data compromise. Forensic scans would continue to ensure that no back doors were introduced during the attack, and the whole process would not be complete until a new formal procedure was put in place, training requirements updated, and recommendations for improved system defenses requested.
A company needs both type of response, and would ideally have a seperate IT and security function. However, for many organisations this is not a realistic option, and for those where it is, staff with the right skills are in high demand and short supply.
But security shouldn’t just be confined to IT, or security teams, the focus needs to be much wider.
Board level buy-in
Cyber-attacks can have huge consequences for organisations. Reduced business, reputational damage, the cost of replacing technology, loss of intellectual property, regulatory fines, the list goes on. Cybersecurity responsibility therefore needs to sit at Board level.
Increasingly high profile attacks have moved this agenda up the priority list and according to a recent report by HM Government “cyber risk is seen as a top, or group-level risk amongst 54% of FTSE 350 Boards”.
Whilst this is a good start there are still major concerns. Reports show that despite the risk only 5% of FTSE 100 companies have Board members with specialist technology or cyber-security experience, 10% of Boards do not have a plan in place to deal with a cyber incident and 68% of companies say that their Board has received “no training in order to deal with a cyber incident within their organisation”.
It’s therefore important that Boards educate themselves on the importance of these issues, after all they will be ultimately accountable. However it’s more than that. Boards need to be seen to lead from the top, to exhibit all the behaviours essential for good security, to ask for regular updates from their teams, to invest in regular testing and actually do something with the results, to drive training and ensure processes are in place and adhered to, and to know that their company is set up to respond to any breach.
It’s all about developing a company wide culture.
Developing a security culture
At Secarma we believe that the most secure organisations are the ones that put security at the very heart of their business: companies where technology, people and processes are of equal importance, and where concerns are as critical to the people at the bottom of the organisation as they are to the people at the top.
Creating this type of security mindset comes from the top down and by adopting such a culture you ensure that technology is tested on a regular basis, patches installed to schedule, your people are educated on the latest threats and company processes are reviewed annually, at the very least.
Security by design can help you be proactive. Putting security front of mind when coding websites, creating apps, or even implementing IT infrastructure will improve your security posture dramatically. Proactive security, however, is only one end of the spectrum. At the other end you need to be fully prepared to react to any breach.
No business can ever be 100% secure, but by working together you improve your security and defend against all but the most persistent attackers.
So, where does the responsibility lie?
Accountability for cybersecurity is always going to sit at the top of the organisation, but in terms of responsibility it’s down to all of us. From Board members to cleaners, from IT Directors to apprentices.
We know this may sound like a daunting prospect, especially as security isn’t your main business objective but that’s where a good cybersecurity company can help.