by Matt Johnson
I am sure you’ve noticed that the threats to online security are constantly evolving, and have become increasingly sophisticated. At Intercity, we make it our job to ensure we’re experts on the latest security threat vectors, from mobile malware, phishing and DDoS attacks, to common rogue insider activities.
But it seems, no matter how seriously we take cyber security, many businesses are still falling short — latest figures show that over four in ten UK businesses and two in ten charities suffered a cyber breach or attack in the past 12 months.
And the most common attack? Fraudulent emails followed by cyber criminals impersonating an organisation.
Ensuring your business is cyber secure should be without question. And there are various ways of doing so, whether it is on-premise security or a cloud-based Security as a Service (SECaaS). The bigger question, perhaps, is not how to secure your business, but who takes ownership of this cyber security process?
Cyber security is more than just IT
Often, the burden of responsibility of cyber security falls to you — the IT department. And on the surface, that makes sense. Historically, it was considered ‘IT security’; companies defined specific perimeters to protect internal IT systems from external threats.
Whilst these perimeters are now expanding or even disappearing altogether, online security solutions are still technology-based tools. These tools generally assess and encrypt your sensitive information, protect your business devices and block malicious activity as early as possible. As the tech expert, you’re best positioned to choose the most robust tools, solutions and reliable partners to secure your business architecture. The rest of the business trusts you to do so.
But, as we’ve already discussed, a significant number of threats begin with a single, often non-IT staff member doing something they shouldn’t — opening a malicious attachment or clicking on a phishing email. Whilst technologies can detect if a hacker is attempting an attack and restrict compromised devices, your technology solutions can only go so far.
It is impossible, therefore, for your IT department alone to keep the entire organisation secure. It should be a collaborative effort that should go up to the very top of the business, and extend across all operational departments.
Is your board involved?
The surge in high-profile, malicious attacks in recent years, with WannaCry and NotPetya the most recent, has raised the stakes of online security. As such, cyber security has (or should have) become an integral part of organisational risk assessment and management.
Your board members have the easiest access to the most sensitive business information. For this reason, they are just as, if not more than, likely to be targeted by cyber criminals.
Despite this, there still seems to be a lack of clarity among some boards about how to oversee and provide guidance and leadership on these threats. Our latest research on cyber security shows that whilst just under two thirds of senior leaders have some understanding, only 30% have an in-depth understanding of the risks associated with evolving cyber threats.
It is, however, your role to take this knowledge to your board. They needn’t be online security experts, but they should be abreast of the common threats and potential weaknesses of your business. What’s more, your board members have the easiest access to the most sensitive business information. For this reason, they are just as, if not more than, likely to be targeted by cyber criminals.
To broaden their involvement, why not disseminate a regular update or summary of the main components of your security strategy? This could include a review of the current threats and recently prevented attacks, as well as a review of the training and education taking place across the organisation.
Cyber security is everyone’s job
Whilst online security is certainly a board-level concern, it is everyone's role in the business to tackle it. You, as the security and technology expert, still have an integral role to play here.
Thorough education programs should be crafted into your security role to train the wider business on potential online threats. This could involve regular presentations to your staff on what to look for in a malicious email, or outlining activities to avoid on business devices. Train your staff to be vigilant, this includes showing what these threats ‘look like’ and most importantly, how to avoid them.
Human error is the cyber security ‘wildcard’; it’s not something that IT departments can easily mitigate so, unfortunately, it is often overlooked. Many organisations focus on preventing cyber criminals from exploiting technology and ignore the mistakes their staff can make, with or without IT. The most secure businesses have robust technical safeguards in place, whilst constantly patching holes and plugging gaps in their front-line of defence — their workforce’s knowledge.