In the second article in this series, I outline the steps C-Suite executives can take to protect their organisations and reduce the risk of cyber attacks.
Gartner recently hosted its 2021 Security and Risk Management Summit, where analysts explored industry trends and released recommendations based on their findings. Their conclusions included advice to security and risk management leaders to address significant digital transformation issues in a COVID-19 world which poses challenges to traditional cyber security practices.
Gartner exposed the top trends expected to have a broad industry impact and significant potential for disruption. These included security-savvy boards of directors, as discussed in my previous article, and the skills gap, with the concurrent problem of the inability to find suitably qualified staff to deliver security projects.
Moreover, it looks like security support for remote workers is here to stay, as the push to go digital deepens due to the pandemic. Another highlighted issue was security vendor consolidation, where a 2020 report by the research house found that 78% of CISOs have 16 or more tools in their cyber security vendor portfolio; 12% have 46 or more.
It confirmed this large number of security products in organisations only increases complexity, integration costs and staffing requirements, with 80% of IT organisations planning to consolidate vendors over the next three years.
It would appear there is a myriad of challenges in terms of security and risk management and not just that of C-Suite responsibility. Still, it must be reiterated that leadership comes from the top. Therefore, let's unpack the steps necessary for C-Suite execs to take if they are to steer their organisations away from potentially crippling cyber attacks.
Holistic C-Suite involvement and responsibility
As explained, while CIOs typically spearhead security initiatives, other C-Suite executives can rise in support of these efforts and thereby add an extra level of reassurance and integrity. For example, after the CEO, the chief operating officer − the second in command − can provide the authority needed to drive improvements in company security culture and practices.
Cyber security forecasts were bleak enough pre-COVID, but the pandemic's arrival has presented bad actors with excellent opportunities.
Even the chief human resources officer − usually regarded as exclusive to personnel issues − can assist by communicating policies and strategies to staff and improving the level of trust and uptake of the company's security vision. The chief marketing officer, who is directly tied to customers, can communicate how company data is protected and provide assurances.
Most of all, the CEO needs to become involved in making data security a crucial point of discussion and engagement in meetings with the entire C-Suite, investors, partners and the board. In this way, CEOs can ensure they are up to speed, or even better, ahead of the curve on the latest security threats and the regulatory landscape. This, in turn, will fuel informed decisions about IT budget allocations and more.
Spotlight staff training programmes
One of the earliest steps the C-Suite needs to take to ensure their organisation's data is protected against potential cyber attacks is to educate employees – get them up to speed on the latest threats. Whether it's malware, phishing e-mails, or DDOS attacks, the C-Suite needs to invest time and money in teaching employees about the everyday basics of cyber hygiene.
This includes training them on recognising fraudulent e-mails that contain suspicious links, updating passwords regularly, and providing clear and straightforward IT guidelines/frameworks that will increase overall cyber literacy within the business.
By going that extra mile and hiring technical specialists, the C-Suite can promote practical and interactive training sessions that involve simulating attacks and by doing so, boost the company's experience and cyber maturity.
Data recovery, business continuity strategies must come from the top
Cyber security forecasts were bleak enough pre-COVID, but the pandemic's arrival has presented bad actors with excellent opportunities. The coronavirus has generated pandemic-themed attacks that include ransomware disguised as official COVID-19 tracing tools – one such attack targeted Android users in Canada.
So, it is apparent that despite the best efforts of CIOs to implement security protection models that aim to prepare the business for any eventuality, they still get caught out by increasingly sophisticated attacks.
The C-Suite needs to implement responses and recovery plans that are strong enough to keep their businesses running in the event of a cyber attack. They must conduct an inventory of all data, encrypt sensitive information such as employee data and financial records, and create regular backups stored safely outside of the network.
Backing up data is the best way to guarantee that even if it gets lost in an attack, external copies can be accessed and used later. This means that an organisation never loses its data entirely.
However, it is often the case that executives find it difficult to justify investment in such security options as there is rarely a tangible payoff. Usually, this type of investment is overlooked because it does not correlate directly with reduced spending or increased employee productivity.
The flipside of this coin is that not investing in security solutions could put the organisation at risk of severe financial and irreparable reputational damage.
Media reports abound suggesting South Africa is an increasingly popular target for ransomware attacks. One example alone hailed from mid-2019 when Johannesburg's City Power suffered a ransomware attack that left an estimated quarter of a million prepaid electricity users without power as the provider's IT systems were shut down.
Other suggested reasons for SA's popularity with the dark web is the proliferation of mobile phones − which has served to bridge the digital divide across the entire continent − and the increasing use of mobile apps, including banking and retail, which are favourite targets for cyber criminals.
The bottom line is that this growing menace must be dealt with by C-Suite management, who need to find and fund better solutions now.
Informed security budget decisions need to be taken by weighing up resource investment costs versus attack outcomes. A policy of too little, too late, will do nothing to keep the lights on in the event of a cyber breach – which today is more of a certainty than a possibility.