In the years leading up to 2018, there has been an increase in the frequency as well as the sophistication in the cyber-attacks launched at organisations.
Most companies by now would have invested in some sort of cybersecurity technology, if not poured in millions to protect them against cybersecurity breaches. However, cybersecurity breach is still inevitable and it is a question of whether cyber threats can be detected early, how best to mitigate and eventually nullify it.
To tackle these new cybersecurity challenges, C-levels need to run a tight ship when it comes to implementing cyber strategy, and inculcating a favourable cyber culture.
Taking Back the Initiative
According to the Global State of Information Security Survey 2018 by PWC, most corporate boards are not proactively shaping their companies' security strategies or investment plans. Only 44% of respondents say their corporate boards actively participate in their companies' overall security strategy.
It is important to stress that the cyber threat problem is no longer just a CIO or IT Department functional role, C-levels need to incorporate a top-down strategy and develop a culture to embrace cybersecurity considerations to mitigate cyber risks. They need to take ownership in building cyber resilience, equip themselves with the necessary knowledge and keep abreast of the cyber skillsets that their teams require. C-levels also need to be comfortable in setting clear directions with regards to the organisation's cybersecurity policy, investments and behavioural strategy.
These are some of the key areas that the C-level would need to focus on:
Future-ready Cybersecurity Capability, Policy and Governance
At the basic level, most companies would have already set up some form of cybersecurity capability to protect against cyber threats. Correspondingly, there would also be policies, governance and SOPs put in place that would help to protect the business data. These policies would describe the kind of information that can be shared; the appropriate process of handling and storing of sensitive material; and the guidelines for the usage of storage devices and online assets. However, while this is a good first step, we know that this alone is insufficient to completely protect an organisation in the face of rapidly evolving cyber threats.
Besides the IT Systems, there has also been an unnerving increase in cyberattacks on industrial control systems. The growing dependence of critical infrastructures and industrial automation on interconnected physical and cyber-based control systems, has resulted in cyber vulnerabilities in Supervisory Control and Data Acquisition (SCADA) systems and Operational Technology (OT) systems. These systems have competing needs with that of IT systems. However, the treatment of cyber threats on SCADA systems would fundamentally differ from IT systems. IT systems prioritise data and confidentiality of the data while OT systems focus on processes and availability as they cannot afford downtime.
Organisational Behavioural and Cyber Readiness Gap
The increase in complexity of cyber challenges mean that cybersecurity technology and well-thought-out policies would only eliminate a fraction of the cyber threats; the human element is required for 100% elimination of cyberattacks. An organisation would need a cyber team with deep expertise and proper training based on real life scenarios to tackle cyberattacks effectively. Leaders of organisations should also have proper understanding of cybersecurity and be convinced of their crucial role in ensuring their cyber defence is robust.
Everyone plays a vital role in creating a secure cyber environment. Different programmes tailored for various groups ranging from the C-levels, to the cyber team and the masses to inculcate cybersecurity awareness are necessary.
Once armed with the know-how, C-levels can create a favourable cyber culture in the company that encourages best cybersecurity practices, they need to provide clear security leadership by doing the following:
a) Clear communication to employees on the importance of cybersecurity risk management and how this is crucial to an organisation's success.
b) Collaboration with cybersecurity professionals in their organisation on a regular basis so as to be able to make informed business decisions that take into account cybersecurity needs.
c) Ensuring that every employee is supported in terms of organisation culture and budget to take up suitable cybersecurity training.
Developing a strong culture of considering cybersecurity in all business decisions will go a long way in ensuring organisational success. If your organisation is looking to strengthen your security posture, there is no better time than now for your organisations to start taking back the initiative and conquer the cyber unknown.