November 24 2020
Time and again we see that a company “doing everything to safeguard their digital assets” means only that a penetration test report has been created; a box has been ticked. Money spent, but no action taken. Such a token nod to cybersecurity is actually the most dangerous mindset. Spending money on cybersecurity may make you feel safe, but the first and last line of defence is prepared leaders and employees.
It appears that lots of people believe in cybersecurity, judging by the headlines we see:
- ‘How to navigate the changing landscape of cyber security’
- ‘Future proof your business against unforeseen hacking hell’
- ‘Addressing the ever-expanding IoT threatscape’
(Some slight paraphrasing here; but we bet you’ve seen similar posts.)
According to a recent ISACA survey, the majority of business leaders believe in security too. The ISACA analysis shows us that 55% of company directors and executives believe they’re doing everything they can to safeguard their digital assets.
False belief in cybersecurity
If we dig deeper into the ISACA data, however, we start to chip away at this perceived security self-belief.
- 92% of those respondents have used their personal email accounts (including unsecured systems like Gmail) to conduct business
- While 74% reported using secure communication software to share sensitive company documents, 54% regularly download these documents onto personal devices or drives
- Only 8% ask their IT, IS or online security teams to sanction directors’ communication methods
- And perhaps most sobering, 62% said their company doesn’t require directors to participate in any cybersecurity training
So why doesn’t perception (“we’re doing everything we can”) represent reality (“we flout all the basic security practices”).
If there’s such a pervasive argument – that security awareness and policy must trickle from the top down – why do so many companies struggle with security?
Security isn’t your business
Fundamentally, security isn’t your business. You sell widgets, you create web apps, you build connected devices – or something else that isn’t security. Your business is getting your product into customers’ hands. The pressure to hit milestones weighs heavier than anything else.
Therefore what matters – what you truly believe in – is Time-To-Market. Of course you’re aware that security is an important component, but it’s not a priority. And though you’d never say it out loud, it’s cheaper and easier to put out insecure software or apps. Basically, security is a nuisance.
Also, people are generally risk takers. You’ve never been hacked or compromised before. You’re flying by the seat of your pants to get your product out on time. So you’re happy to do what you did last time, with a few tweaks maybe, and go again. If you were secure before, you’re secure now. Right?
Other factors weigh heavy too – for example you might not have the relevant skills in house. And if you decide to work with a cybersecurity supplier, how do you find the right one, with the skills and pedigree that your business needs? Quantifying and qualifying security people can be daunting.
This is when those headlines listed at the top of this blog offer a ray of hope to anyone responsible for ensuring their apps and systems aren’t breached. You’ll notice that these articles are usually written by someone wanting you to use their security product – one that solves all your problems. But even the best product in the world can’t do this.
Technology alone cannot keep pace with cyber threats
Without using the words ‘snake oil’ (oops) how can there be one product for every company’s risk profile? How can one product understand the subtleties and nuances of your business? How can any product truly help you negotiate that ever-changing landscape of cybersecurity you hear about?
Of course technology has its place, and it’s extremely important, but it’s not the answer on its own. It’s only when technology is combined with people and process that we start to get somewhere. People and process are critical – and by people and process we mean those within your company. Because when all three are combined you can create a secure community culture, one that is embedded into everyday working practices.
Technology + people + process = the holy trinity.
Without truly believing in such a holy trinity, security often becomes a box ticking exercise. Pentest reports are created but not acted upon. Money is splurged, but no one learns.
It might sound a bit doomsday scenario, but it’s something we see time and again. We wonder why a company invests in having a pentest report created if there’s no way, or no one, to act on it.
Believing you’re covered because you’ve ticked off a pentest, for example, only endangers you, your staff and your suppliers.
Become a true believer in security
Here’s a short list of commandments for directors and leaders, or indeed anyone responsible for online security within your business.
- Accept that it requires investment. You’ll need to commit time and resource, as well as budget; not just in technology but training too. In fact the best cybersecurity investment you can make is better training: as with any cyber threat, the first and last line of defence is prepared leaders and employees. Any investment here becomes cost effective over time, especially when compared to implementing cutting-edge technology that may become obsolete
- Accept that it will be an ongoing commitment. Real security takes time, requires action, and will be continually and forever evolving. It’s not a to-do list, and it’s definitely not a tick in a box. As cyber threats grow, comprehensive risk management is an ongoing board level priority.
- Ask yourself: what are you protecting? Map out what your business does, what’s critical to its success and therefore what needs to be protected. Once you have an understanding of your business, engage with a security partner to build a bespoke risk profile. Remember, your security requirements are unique.
- Embed a security mindset from the top down. Directors and top executives hold the ultimate responsibility here. Not only must they be aware of the cybersecurity programs and risk profile of their companies, they must also set the right tone for the rest of the employees. This means demonstrating by an adherence to secure communication policies and practices that security is important enough to warrant the regular time and attention of the company’s leaders.It’s also critical that this behaviour, and this sense of responsibility, is transferred across the entire business. Most breaches are a result of internal human error, and often from unlikely sources within your organisation. So when it comes to security training, we want to see the CEO and cleaning staff sitting next to the developers.
- Prevention, Detection and Response. Work on the principle that all three are essential: none of these are perfect on their own, and you need all in place should one fail. For example, there’s no point having good detection in place if your response policies are substandard or non-existent. It’s far better to assume your defenses will be breached and to train your people in what to do when that happens.
- The simpler, the better. Your security protocols should be clear and simple to follow.
It may sound daunting, but with the right tools, training and support in place, you’ll have peace of mind that you’re genuinely doing all you can to prevent a breach or attack.
Good cybersecurity means human readiness, strong security measures and solid technological defences.
Good cybersecurity means believing in cybersecurity. Help spread the word by circulating this article to whomever may benefit most.
Keep your business secure with Secarma
We believe that the security of your critical networks and data is key to your organisation’s success. Whatever your sector, whatever your size, our mission is to help you to seize the competitive advantages of providing your clients with security, compliance, and reliability.
For more information, contact a member of our dedicated team.