No matter the size of the organisation or the vertical in which it operates, cybersecurity has fast become the number one concern for CIOs and business leaders across the globe as they battle to protect their company against increasingly frequent and sophisticated cyber attacks. Over half of the organisations included in the 2018 CIO 100 reported that they had detected a security breach in the last year, while 82% expected an increase in the security budget to reflect greater defence against cyber attacks.
It's been well documented just how damaging a major data breach can be, costing companies financially and destroying reputations that have sometimes taken decades to build. In 2019, we’ve already witnessed the biggest data breach on record, when security researcher Troy Hunt discovered the largest ever collection of leaked data – an 87GB package of 12,000 files, including more than 772 million email addresses and 21 million passwords.
CIOs are often tasked with finding new ways to protect customers and employees from online threats. But how can CIOs engage staff and promote cybersecurity within the workforce?
While highlighting security issues and raising overall awareness is undoubtedly an important first step on the road to cybersecurity, simply telling people to be more security-savvy is rarely enough.
CIO UK examines how CIOs can improve their organisation’s approach to cybersecurity, with comments from leading CIOs and digital experts on how they promote a security culture.
Hire a CISO
Last year it was reported that almost half of UK businesses were subject to a cyber attack or suffered a security breach, costing businesses an average of £3,100. Therefore, it's of little surprise that many companies are now looking to bolster their security by hiring a Chief Information Security Officer (CISO).
A CISO is responsible for setting an organisation's security strategy and must be alert to evolving cyber threats and the form that they could take. They are responsible for sharing their knowledge and advice with executives and employees, setting up an effective security plan and implementing security policies. Furthermore, a report by IBM and the Ponemon Institute LLC found that appointing a CISO decreased the average per capita cost of a data breach by $6.50.
Richard Orme, CIO at Photobox, believes that hiring a CISO helped to change employees' attitudes towards security.
"It's not so much a question of, what tools can we buy to help us?" he said. "It's, how do we change as an organisation? How do we change our culture? That's where Dinis, our CISO, has been very strong. He'll sit with the engineering teams and educate them, and he'll create challenges for them. He'll commit code with them. So, he really talks their language, and they respond to that massively.”
However, it’s important to remember that, while hiring is CISO has its clear benefits, it doesn’t guarantee your business won’t be hit by a cyberattack.
For organisations without a CISO, the responsibility of setting the cyber security agenda falls to the CIO. If the worst should happen and your company suffers a data breach, how you handle the impact will define your organisation for years to come, meaning it's vital that every member of staff is on the same page.
Training is the best way to ensure everyone in your company understands and implements your security strategy, minimising the potential for a security incident to occur as a result of human error. Training can also help to highlight issues such as browser safety and network security, and provide employees with a general understanding of security risks.
Richard Stanton, CIO at the Dudley Group NHS Foundation Trust said: "Around cybersecurity, we are putting good practices into IT and investing in technology to help protect us but clearly, the weakest link is always going to the workforce. As part of the mandatory training, there is an IT security module which staff members have to undertake annually so there has been a lot of mystery shopper type activities where we have been creating and testing our own viruses. We are sending out emails to our staff with fake viruses and seeing who have clicked on those links."
It's important not to become complacent. Just because you offered your employees security training once, doesn't mean your job is finished. As cyber threats evolve, employees should be kept up to date so that they are prepared and aware of what kind of malicious content to look out for.
Hire the best talent
The skills gap across the technology industry has already been widely reported on, with experts predicting the sector will be facing a global skills deficit of 4.3 million workers by 2030. Unfortunately, this talent deficit has hit the cybersecurity industry particularly hard, with Cybersecurity Ventures reporting that there will be 3.5 million jobs left unfilled by 2021.
As a result, organisations need to start looking beyond traditional recruitment methods if they want to plug the cyber security gap with the best possible talent. Looking beyond traditional qualifications, for example, is one way of widening the talent pool as many young people are now choosing to forego studying for a traditional degree and are instead gaining real-world experience through internships or apprenticeships.
If you don't have the budget to hire a shiny new security team, upskill your current employees by offering them the opportunity to earn cybersecurity certifications and specialise in areas where your company's security defenses might be weakened. Not only will this help to benefit your business, it will also boost your employees' morale and they will be more likely to remain in the company if they feel like it is invested in their professional development.
Implement an organisation-wide security strategy
Just because you've managed to get your IT department on board with security best practices, it doesn't mean your organisation is now secure.
Does your HR department know about the dangers of password reuse? Is your CMO still using their personal phone for business-related purposes? Does that new Ops employee know what phishing is?
For a security strategy to be successful it has to be understood and implemented by every member of your company, from the CEO and the executive team right down to the work-experience kid who's only with the company for two weeks.
One of the most effective ways to protect against security threats is to develop a workplace culture that has security awareness ingrained within it. Businesses should be promoting a security culture that can help staff members to stay safe online and recognise telltale warnings surrounding cyber attacks.
TalkTalk COO Duncan Golding understands the importance of security best practices more than most, after the company was fined £400,00 in the wake of a 2015 cyber attack.
"TalkTalk is very much going through a cultural acceptance of what security means across the business post cyber-attack," he said. "[The strategy] is being discussed at every meeting and the fact that security is embedded in everything we do, from the process and the new products that we launch, to now being part of the day to day discussion."
A big part of any security strategy is trust. No organisation wants to suffer a data breach but, if the worst should happen, being transparent with your customers, employees and stakeholders will go a long way to helping rebuild your reputation.
Ian Yip, Chief Technology Officer, APAC, of McAfee told CIO ASEAN, "If you look at it historically, the best ways to handle incidents is the more transparent you are the more you are able to maintain a level of trust. Obviously, every time there’s an incident, trust in your organisation goes down. But the most transparent and communicative organisations tend to reduce the financial impact of that incident.”
You also need to ensure you remain transparent with those inside your organisation as well, keeping all C-suite executives, department heads and key stakeholders aware of any potential risks as well as changes to the overall security strategy.