KIEV, UKRAINE - 2018/12/29: In this photo illustration, the Adobe Inc. Computer software company ... [+]
Last week, Adobe Inc. suffered a cyber breach wherein the email addresses of more than 7.5 million customers were exposed. For Adobe’s leadership, it was a stark reminder of the company’s 2013 breach, in which 38 million usernames and passwords were stolen.
Across the globe, breaches are occurring at an alarming frequency. Earlier this year, the World Economic Forum ranked “data fraud and theft” and “cyberattacks” as fourth and fifth on the list of the “top 10 global risks of highest concern for the next decade.” Unless cybersecurity efforts match the pace of technological advances, the organization estimates these threats could cost as much as $90 trillion by 2030.
Despite these dire predictions, many businesses are failing to keep up. More than two-thirds (69%) of employees feel their organization’s cybersecurity approach is “reactive and incident driven.” That is unacceptable. Leaders cannot afford to wait for an incident to occur, and cannot relegate cybersecurity to the confines of the IT department. Instead, leaders should take a proactive and integrated approach toward combating the rising number of cyber crimes and cloud-based vulnerabilities. Here are three ways they can start today.
1. Improve Your Security Team
A 2018 PricewaterhouseCoopers (PwC) survey found that just 39% of respondents were “very comfortable with the sufficiency” of their cybersecurity and privacy workforce, and just 33% believed their companies were “fully ready to meet recent and emerging requirements for cybersecurity, data privacy, and data-use governance.” In all honesty, the time to build a cybersecurity team was yesterday. If a company is among those that have not yet hired an adequate workforce, it should do so immediately.
The most important position on the security team is the chief information security officer (CISO or CSO) — which, incredibly, 38% of Fortune 500 companies do not currently have. These CISO-less companies are making the same mistake as Target, whose 2013 breach exposed the credit and debit card data of 40 million customers. According to a former manager, the lack of a CISO was a “root cause” of the breach. “[Target] didn't have an advocate at the C-level, as an executive, advocating for IT security investment,” he said. The breach cost Target’s CEO and CIO their jobs, and cost the company more than $200 million.
In addition to an experienced CISO, research from IBM suggests that companies should designate a specific incident response (IR) team that pulls members from different departments. Though this will not prevent breaches, it could reduce their impact. “Organizations that have an in-house IR team responded to attacks faster and better and saved considerable costs in the process,” the report noted. The average savings was $14 per record; when multiplied by millions of accounts, it is easy to see why an IR team is a worthy endeavor.
2. Nurture a ‘Security Culture’
While some leaders might consider external factors to be their organization’s biggest threat, research from IBM found that, in 2018, 29% of attacks involved phishing emails and 43% involved misconfigured cloud servers. In other words, one of the most “relentless” business threats is not hackers on the other side of the world, but company insiders “who unwittingly compromise the environment.”
“In any system, humans are always the weakest leak,” Chris Romeo wrote at Tech Beacon. Leaders should thus encourage a “security culture” that permeates all levels of their organization. The first step is investing in cybersecurity awareness training for employees. According to data from PwC and Accenture, only 34% of companies have such programs, and only 13% of leaders say investing more in training is a top priority. This is a critical error.
Not only do trainings raise awareness, explained Jason Choi and his colleagues at McKinsey, they also “signal to the business units that cybersecurity is a shared responsibility” and that “[a]nyone who has access to confidential data and systems, at whatever level, must play an active role in ensuring their safety.” Trainings need not be boring, either; Samantha Davison, security program manager at Uber, suggests using gamification to keep them engaging. “Pick a fun theme and parody it — we did Game of Thrones,” she said. “Throw a phishing writing workshop and have your employees write a phishing email for the company. The options are endless when you start to think outside the box.”
3. Foster Communication
With the Top Another internal threat to companies is the disconnect between cybersecurity teams and business leadership. A recent survey from the Ponemon Institute discovered that 63% of IT security leaders do not report to the board on a regular basis — and 40% never report to the board at all. Furthermore, only 27% of boards oversee security budgets. For a company’s cybersecurity program to be successful, this disjointed approach will not suffice.
Top leadership needs to play a direct role in cybersecurity efforts — and not only once a breach has occurred. “The board of directors and C-suite… must be involved in enforcing a proactive approach to identifying and remediating security gaps,” said Larry Ponemon, founder and chairman of the Ponemon Institute. “While most companies have an executive tasked with accurately determining the efficacy of their cybersecurity strategy, they need to be communicating these findings to senior leaders and the board on a regular basis.”
The case for breaking down cybersecurity silos is made evident by Equifax. Its 2017 breach revealed the personal data of 150 million people and cost the company $1.4 billion. Although the technical reason for the breach was a “patching issue,” Lance Spitzner, the director of SANS Security Awareness, said it was really caused by people and structure. More specifically, it was caused by the fact the CSO did not report to the CIO. “IT was siloed from security,” he wrote, “the two rarely communicated or coordinated, leaving gaping holes in the organization.”
As technology advances, there is no question that cybersecurity efforts must advance alongside it. To avoid the fates of Adobe, Target, and Equifax, leaders at every company should take proactive steps to create cyber resilience. As Omar Abbosh and Kelly Bissell wrote at Accenture, “Cybersecurity is the bedrock of tomorrow’s intelligent business. If companies are to succeed through the use of digital capabilities, to develop superior customer knowledge, unique insights and proprietary intellectual property… they will need a robust cybersecurity strategy to underpin it all.”
