As the threat landscape continues to develop, and major data breaches appear to occur on a weekly basis, cybersecurity remains a critical issue for CIOs and businesses today.
Clarksons, Uber and CEX are just some of the organisations who hit the headlines after suffering from data breaches in 2017.
Last year, Barclays Group Security CIO, Elena Kvochko wrote in CIO UK that businesses need to implement strong measures at every level of the organisation to remain resilient to the attacks.
An increasing number of CIOs are exploring new ways to protect customers and employees from online threats. And by highlighting security issues and raising overall awareness, CIOs can help combat the ever-evolving threats occurring in the workplace.
CIO UK looks at how CIOs can raise awareness of security with comments from leading CIOs and digital experts on promoting a security culture.
Hire a CISO?
CIO UK recently wrote tips on when to hire a Chief Information Security Officer, you can read them here: So does your organisation need a CISO?
According to Harvey Nash, only 20% of organisations feel that they are prepared when it comes to a cyber attack, with the problem continuing to grow.
A CISO is alert to the evolving cyber threats and the growing number of attacks. They share their advice and knowledge with executives and employees on the requirements for setting an effective security plan.
CISOs are arguably best suited for larger organisations with more complex security needs with Reckitt Benckiser, Hargreaves Lansdown, Unilever and Centre Parcs all having a CISO in place. They are responsible for laying the foundations of a plan and communicating the value of security within the organisation.
NATS CISO Andrew Rose told CIO UK: “The CISO role is becoming more business focused. My role is about influencing, stakeholder management, positioning and communication.
“It’s all about getting the board’s head in the right place so that they’re OK with spending money and putting resource into this, and that they realise the benefit in it.”
In some organisations where there is no CISO, it is the responsibility of the CIO to ensure employees are trained and aware of security procedures and implications.
Training can highlight issues such as browser safety, network security and general cyber threats, which can help employees understand the risks of security, overall.
As cyber threats evolve, employees should be kept up to date so that they are prepared and know what malicious content to look out for.
According to the 2018 Global State of Information Security Survey, only 44% of executives are participating in the companies overall security strategy.
In order to maintain an effective security strategy, new hires should receive training sessions before joining the work environment. Exploring creative ways to deliver training through the use of animation, infographics and interactive content can help keep staff engaged and aware of security issues.
“All of our developers are trained in secure coding practices, we have ‘MacGyvers’ in all clusters individuals with additional security training who are responsible for identifying and raising security concerns, as well as being a super-local centre of excellence for security skills,” he said.
According to a 2017 Spiceworks survey, 62% of IT professionals see cybersecurity as a key skill to develop. CIOs need to develop new ways in order to retain cybersecurity talent to ensure data is protected.
BMJ’s CDO Sharon Cooper says: “Security is a skill that everyone should have at varying levels, bringing diverse teams together and sharing knowledge. The hack day would bring suggestions that would fix business problems, develop new products or improve existing policies.”
One of the most effective ways to improve awareness of security threats is to encourage a cultural change. A security best practice should be available throughout the workplace, as this offers employees a useful resource to drive forward the shift in attitudes towards security.
CIOs can deliver a security strategy which underlines the importance of the risks, any personal concerns and how it will directly affect the business.
Today, employees are exposed to password theft, ransomware and malware, so businesses should be promoting a security culture that can help staff members to stay safe online and recognise telltale warnings surrounding cyber attacks.
A cultural change should result in the staff’s behaviour adapting to the strategy and becoming more responsive to security protocol. This can help increase employees’ skills, attitudes and own safety when it comes to security.
TalkTalk Business COO Duncan Gooding sees security as much as a cultural thing as an IT solution.
“We have a whole cultural initiative from having training, workshops and group projects making staff aware of the types of security and risks in which we would expect in terms of best behaviour approach.”
The COO has helped change TalkTalk’s security strategy since the 2015 cyber attack, which cost the telecom company £400,000 in fines.
“TalkTalk is very much going through a cultural expectance of what security means across the business post the cyber-attack,” he said. “[The strategy] is being discussed at every meeting and the fact that security is embedded in everything we do, from the process and the new products that we launch, to now being part of the day to day discussion.”
Employees need to understand the part they play in achieving a security strategy. Team collaboration is a great way to establish security in the workplace through planning ideas and setting budgets to help motivate the team to deliver a cultural change. (See also: TalkTalk Business COO Duncan Gooding on security strategy since 2015 cyberattack.)
Collaborate with security teams
CIOs should collaborate with security teams and get to grips with existing security policies.
Security is a complex subject and ongoing issue for CIOs today. In-house teams cannot be expected to know everything from malware, data and information security.
Regular meetings with security departments can build a relationship while also outlining clear cybersecurity risks and legislation to ensure end-to-end security.
Taking notes, asking questions and peer observations can help raise awareness within the organisation.
Create a strategy roadmap
A common result of cyber attacks has seen personal details including email addresses, bank accounts and user passwords been accessed and stolen by hackers.
According to a 2017 Harvey Nash survey, under a third of organisations have been subject to a major security incident in the past 24 months.
Wonga, Pizza Hut and Equifax are just some of the organisations who were fell victim to a security breach in 2017. These infamous breaches have shown a loss of public confidence and cost companies millions of pounds. Raising security awareness can obviously help ensure the company is protected from cyber attacks.
A security roadmap detailing the risk of employee’s actions when online will help protect them against common malicious content associated with document sharing, link clicking and file downloading. A roadmap will also ensure a set path is created with CIOs and employees can call upon, when needed.
Collecting information from previous reports and carrying out regularly penetration tests will help illustrate the areas CIOs need to address in order to prevent any security vulnerabilities. This can help ensure the business and its data is protected while, of course, raising awareness of security in the workplace.
When it comes to security CIOs should look to see if there are possible upgrades to be made before purchasing equipment.
Although organisations shouldn’t be cutting costs when it comes to security and protecting customer data, security tools should be updated regularly to reduce the risk of cyber-attacks which inevitably will cost less money.
A good security suite can help protect your devices from a range of threats and prevent your organisation from a serious security risk.
Take a look at our list of top security tools for CIOs.
Provide secure devices
CIOs should be prepared to provide employees with safe and secure IT equipment.
Security concerns surrounding mobile apps, file-sharing and downloads have become an issue for organisations today, with employees connecting to open and vulnerable networks more often.
Device management tools such as Miradore, Spiceworks and SOTI offer an extra layer of security and remote access, meaning that if any vulnerability is detected, the systems administrator can effectively shut down the device and limit the amount of potential damage that might be caused.
“We have just deployed Microsoft Enterprise Ability Suite and key wins for that has been assuring personal and mobile devices are secure and encrypted wherever they are,” he said. “If they are accessing data from the university they can then be confident that is safe and secure," he explained.
You should also consider setting out a mobile or device best practice for security to ensure you are meeting the organisation's security needs and protocol. This approach will assess employee devices to ensure they are connected to the business network safely.
The applications and devices you want to permit can help ensure company data is protected while also educating staff on the overall risks of security. By regularly monitoring devices it can help limit organisations risks, reduce IT costs and help manage IT use.
[Read next: Best security tools for your home office 2017.]