As cyber attacks continue to become more frequent and sophisticated, cybersecurity remains a critical issue for CIOs and businesses today. Over half of the organisations included in the 2018 CIO 100 reported that they had detected a security breach in the last year, while 82% expected an increase in the security budget to reflect greater defence against cyber attacks.
Major data breaches can cost companies millions in damages, as well as an incalculable cost to reputation. Some companies that have suffered crippling data breaches in the past year include Clarksons, Uber and CEX.
CIOs are often tasked with exploring new ways to protect customers and employees from online threats. But how can CIOs engage staff and promote cybersecurity within the workforce?
By highlighting security issues and raising overall awareness, CIOs can help combat the ever-evolving threat from security breaches.
CIO UK examines how CIOs can approach cybersecurity within the organisation, with comments from leading CIOs and digital experts on how they promote a security culture.
Hire a CISO?
According to the 2017 Harvey Nash / KPMG CIO Survey, just under a third of organisations had been subject to a major security incident in the previous 24 months, but only 20% of organisations felt that they were prepared for a cyberattack.
One way in which they can bolster their defences is by hiring a Chief Information Security Officer (CISO), whose role is dedicated to maintaining security within the company. A CISO must be alert to evolving cyber threats and the form that they could take. They are responsible for sharing their knowledge and advice with executives and employees, setting up an effective security plan and implementing security policies.
CISOs are arguably in highest demand at larger organisations with more complex security needs, with companies such as Reckitt Benckiser, Hargreaves Lansdown, Unilever and Centre Parcs all having one in place.
Andrew Rose, the CISO of air navigation service provider NATS, told CIO UK that the CISO role is becoming more business focused.
"My role is about influencing, stakeholder management, positioning and communication," he said. "It's all about getting the board's head in the right place so that they're okay with spending money and putting resources into this, and that they realise the benefit in it."
Richard Orme, CIO at Photobox, believes that hiring a CISO helped to change employees' attitudes towards security.
"It's not so much a question of, what tools can we buy to help us?" he said. "It's, how do we change as an organisation? How do we change our culture? That's where Dinis, our CISO, has been very strong. He'll sit with the engineering teams and educate them, and he'll create challenges for them. He'll commit code with them. So he really talks their language, and they respond to that massively. Instead of seeing security as something that they have to do, they now see it as an interesting problem to solve. Like with any engineering team, if you can give them a problem to solve, then they're at their happiest."
Read next: So, does your organisation need a CISO?
In organisations that do not have a CISO, it is generally the responsibility of the CIO to ensure employees are trained and aware of security threats and procedures.
Training can highlight issues such as browser safety and network security, and provide employees with a general understanding of security risks. As cyber threats evolve, employees should be kept up to date so that they are prepared and aware of what kind of malicious content to look out for.
However, according to the 2018 Global State of Information Security Survey, only 44% of executives are currently participating in their companies' overall security strategy.
In order to maintain an effective security strategy, new hires should receive training sessions before joining the workforce. Exploring creative ways to deliver training through the use of animation, infographics and interactive content can help to keep staff engaged with security issues.
Richard Stanton, CIO at the Dudley Group NHS Foundation Trust said: "Around cybersecurity, we are putting good practices into IT and investing in technology to help protect us but clearly, the weakest link is always going to the workforce. As part of the mandatory training, there is an IT security module which staff members have to undertake annually so there has been a lot of mystery shopper type activities where we have been creating and testing our own viruses. We are sending out emails to our staff with fake viruses and seeing who have clicked on those links."
According to a 2017 Spiceworks survey, 62% of IT professionals see cybersecurity as a key skill to develop. CIOs need new ways to foster cybersecurity talent in the workforce.
BMJ's CDO Sharon Cooper said: "Security is a skill that everyone should have at varying levels, bringing diverse teams together and sharing knowledge. The hack day would bring suggestions that would fix business problems, develop new products or improve existing policies."
A workplace culture that has security awareness ingrained within it is one of the most effective ways to protect against security threats.
Today, employees are exposed to password theft, ransomware and malware, so businesses should be promoting a security culture that can help staff members to stay safe online and recognise telltale warnings surrounding cyber attacks. A cultural change is signalled in staff adapting their behaviour in accordance with the security strategy and becoming more responsive to security protocol.
TalkTalk Business COO Duncan Gooding sees security as a function of workplace culture as much as an IT solution. "We have a whole cultural initiative from having training, workshops and group projects - making staff aware of the types of risks and security," he said.
Gooding has helped change TalkTalk's security strategy since the 2015 cyber attack, which cost the telecom company £400,000 in fines.
"TalkTalk is very much going through a cultural acceptance of what security means across the business post cyber-attack," he said. "[The strategy] is being discussed at every meeting and the fact that security is embedded in everything we do, from the process and the new products that we launch, to now being part of the day to day discussion."
Mieke Kooij, Director of Security at Trainline, also notes the importance of creating awareness of security issues in the office environment.
"Security is about creating a culture where information and systems are protected by shifting how people interact with them," she told CIO UK. "Where possible we use technology and automation to do this, but ultimately, it's about gaining consumer trust, winning hearts and minds and changing behaviour."
Employees need to understand the part they play in helping to realise a successful cybersecurity strategy. Helping to motivate the team through involving them in the ideas and planning stage, as well as setting budgets are also effective ways to help deliver a cultural change.
Collaborate with security teams
Depending on the structure of the organisation, CIOs can collaborate with security teams to achieve a greater understanding of existing security policies. Regular meetings with security departments can build a strong relationship across departments. And taking notes, asking questions and peer observation can also help to raise awareness within the organisation.
Handling all of an organisation's security can be a mammoth task for in-house staff, prompting some businesses to outsource their security to third parties. Kevin Evans, CIO at Sun Branding Solutions, is an advocate of this approach.
"Since introducing this I've managed to cut my budget in terms of what I'm spending and at the same time I've got 24/7 security monitoring," he said. "I defy anyone in this room to monitor a four-continent, nine-country ecosystem with just seven IT staff in-house and still provide 24/7 security coverage. We've got that."
Read next: The most infamous data breaches on Techworld
Provide secure devices
Security concerns surrounding mobile apps, file-sharing and downloads are increasingly common for organisations today, with employees more frequently connecting to open and vulnerable networks.
Device management tools such as Miradore, Spiceworks and SOTI offer an extra layer of security for remote access, meaning that if any vulnerability is detected, the system's administrator can effectively shut down the device and limit the amount of potential damage.
As organisations are exploring new ways to protect their customers. Jonathan Monk, IT Director at The University of Dundee, has turned his attention to protecting his students.
"We have just deployed Microsoft Enterprise Ability Suite and key wins for that have been assuring personal and mobile devices are secure and encrypted wherever they are," he said. "If they're accessing data from the university they can be confident that it's safe and secure."
CIOs could also consider laying out best practices for mobile or device security to ensure employees are conforming to the organisation's cybersecurity protocol.