As data theft disclosures hit the headlines in 2015, organisations’ dependence on security professionals and senior managers to protect their networks and business critical data has come under serious scrutiny. Organisations up and down the country are failing to provide adequate cybersecurity training to their employees that would go some way towards helping them be more vigilant against cyber-attacks.
The need to address these threats and risks should be discussed regularly as a team to ensure solutions are implemented and the organisation’s data is protected. Failing to provide this training leaves businesses vulnerable to the confidential data loss and the trust and irreparable reputational damage caused by data breaches.
On top of this, another eye-opening concern for organisations must be security professionals’ call for data loss to also be seriously dealt with by the law. This is according to 98 per cent of surveyed respondents at the 2015 eCrime Congress – which included security professionals from government, public and private sectors and senior managers responsible for risk, audit and compliance.
The respondents claimed that ultimate responsibility for a loss of data has to rest at the very top of the business tree. One in six (16 per cent) claimed that CEOs and board members should face prison if their organisation suffers a data breach, while 70 per cent said the CEO must be held accountable in the aftermath. Additionally, 65 per cent claimed that businesses should face fines when they fall foul of a loss of data.
While it is the day to day responsibility of senior managers to safeguard their organisations, all employees should be educated on the security risks – including c-level execs. However, only one in five CEOs globally (21 per cent) are ‘extremely concerned’ about cyber threats and a lack of data security, according to research from PWC. The reality is that many businesses don’t know they are losing data to begin with, never mind knowing which data is being lost.
The pending EU Data Protection Regulation, which is likely to come into effect in the next two years, will pave the way for heavier fines and stronger restrictions upon companies that suffer data breaches. There has never been a better time for CEOs to get their security controls in order and, with entry-level attackers now creating huge problems for organisations and executives through even basic cyber-attacks, CEOs and C-level execs must understand how to limit their exposure.
However, the ever-increasing information security skills shortage and lack of employee education is hindering companies’ efforts to implement a data-centric approach to security, which is required to keep business critical information safe. As well as educating employees on data protection, organisations must build corporate cultures whereby employees constantly consider the security risks that surround every process they take. This must be led from the c-level down to ensure best data practices are adhered to.
While cybersecurity is on the boardroom agenda, c-level execs are being briefed on businesses threats rather than business risks, and it’s the role of the security professional to raise the board’s awareness. However, all is not lost as three quarters of the respondents we spoke to felt that publicity has helped their fellow security professionals make a case for budget, focus and resources at board level, which should raise their awareness.
Security professionals should now realign strategy, answer questions about regulation changes from board level, and establish robust data protection policies. Failing to be prepared is a sure-fire way of alienating the board while putting the business at risk of not only suffering crippling data breaches but also incurring damaging financial and reputational losses.
However, while it is the security team’s responsibility to propose a case, it’s the c-level executives’ role to regularly check in with the team and review the organisation’s security system to ensure standards are met and reduce the risk of data theft.
C-level directors and security professionals should work in collaboration to ensure provisions are in place and technical training is provided to existing security staff. Regular educational training around phishing attacks, typo-squatting and general awareness of security attacks is absolutely vital and goes a long way towards safeguarding corporate data.
Neil Thacker, Information Security & Strategy Officer, Raytheon | Websense