Cyber security

When I give presentations on cybersecurity, directors often ask, ‘Why do I need to worry about this when I have an IT team to take care of it for me?’

It’s a fair question. IT security has traditionally been a job for the IT team. Anti-virus software and other such tools are the basics of cybersecurity and installing them falls within their remit.

However the IT team cannot defend the business by itself. As the threats have become more complex and criminals more sophisticated, cybersecurity is now a company-wide challenge and one that requires leadership from the very top.

For a start, the nature of attacks is changing. As the government’sCyber Security Breaches Survey 2019 shows, phishing and other scams which rely on human vulnerability now far outnumber viruses or malware attacks.

As IT teams shore up their defences, attackers are preying on people instead. Humans are now the weakest link and attacks are becoming cleverer and more focused, with directors and senior decision makers increasingly being the targets.

Meanwhile regulators have made it clear that cybersecurity requires board-level engagement and they are threatening to hold directors to account for any breaches. Of course cybersecurity is very much a new field for most directors but it is critical that they step into a discovery phase and bring themselves up to speed.

Here are eight steps to help them take control of the threats:

1. Recognise that cybersecurity is a company-wide challenge

The fact is that cybersecurity cannot be left to one department but depends on people throughout the business playing their part – from frontline staff to the finance and HR teams – and requires a more integrated approach.

Malware protection, browser software and patch tools are all necessary but need to sit alongside policies and procedures such as staff training, granting or removing access rights. Companies need to create a framework that brings all these different elements together, ensure that everyone understands their roles and responsibilities, and keep records for compliance purposes.

2. Ensure you have the right people in place

Even if you don’t have a dedicated Chief Security Officer, you need to have people with cyber governance in their remit – certainly someone in IT and also a member of the board. The Cyber Security Breaches Survey found that only 35 per cent of companies had a board member responsible for cybersecurity even though embedding knowledge in the board in this way is a strong driver of change.

ThreatAware recommends that one director allocates two hours a week to cybersecurity governance. Firms with more than 250 employees must also employ a data protection officer under GDPR rules.

3. Understand the basics of cybersecurity

While you don’t need to know all the technical details, it’s useful to understand the basics. The government’s Cyber Essentials guide outlines the five key principles - secure your internet connection; safeguard your devices and software by the use of passwords or two-factor authentification; control access to your data and services, for example by ensuring privileges are only given to those that need them; protect your business from malware and viruses; and keep your devices and software up to date – known as ‘patching’.

4. Consider achieving a recognised standard

By law all businesses must comply with GDPR but attaining a higher standard will reassure customers that you take cybersecurity seriously. The Cyber Essentials scheme is very cost-effective even for smaller firms and some government contracts now require this certification while ISO/IEC 27001:2005 is a more in-depth and internationally recognised framework.

5. Carry out staff training

Cybersecurity is relevant to staff at all levels. But while frontline staff need to be aware of what to look out for, senior managers will need a deeper understand. Arguably, having some cybersecurity knowledge is part of a manager’s job and the National Cyber Security Centre’s guidance states that ‘executive staff should be as aware of the major vulnerabilities in their IT estate as they are of their financial status’. Consider whether training is required and if so, for whom? When did it last take place and how robust is the programme?

6. Organise a ‘pen test’

A penetration test is a simulated cyber attack conducted by a third-party provider and will assess how vulnerable your business systems are.

7. Put monitoring in place

Monitoring will allow you to detect threats and act on them at an early stage, but the system should not just cover cybersecurity tools but also take account of the company-wide processes and procedures. Ideally it should incorporate some type of alerts - for example if patches have not been updated, or staff training has not been carried out. Early detection can help prevent breaches or minimise the impact.

8. Draft an emergency response plan

In the event that there is a data breach or other incident, you need to be clear about what actions need to be taken and by whom. Remember also that under GDPR, breaches involving personal data will need to be reported within 72 hours to the Information Commissioner’s Office.

One in three businesses (32%) have been a victim of an attack or breach in the past 12 months, according to the Cyber Security Breaches Survey. While it is slightly lower than in previous years, breaches are becoming more costly and victims tend to suffer multiple attacks. Boards must now lead the fightback and work with IT teams to develop a coordinated approach to defeat the growing threat.

By Jon Abbott is the CEO of ThreatAware