Tip 3: Go Beyond Technology
The whitepaper does not undervalue the role of technology, but it stresses that technical safeguards are not the only defense you can — or should — employ in your war against cybercrime. The following passage highlights the example they give with regard to protecting against phishing and spear phishing attacks:
Everyone at every level in an organization is vulnerable to this type of attack. When a phish gets through your technology, your employees need to be able to recognise the danger. This is where education and awareness come in. You have to put in programmes to change your people’s behaviour and culture towards information and business security.
As we’ve said before, and the paper echoes, there is no absolute zero when it comes to risk — cybersecurity, or otherwise. And relying solely on technology to eliminate vulnerabilities is, ultimately, a losing proposition. After all, most (if not all) business-critical activities rely on a human component. Even technical solutions must be purchased and implemented and maintained by humans. And the simple fact is, even when we know the right technical answers to eliminate some vulnerabilities, they are not always implemented correctly.
Patch management is a great example of this. IT teams recognize that they should patch known vulnerabilities, but business drivers stand in the way of this at times (and the recent global ransomware infections have shown that decisions made based on these business drivers can be costly). Not everything related to technical security can be automated, so it is dangerous to ignore the human component and search for a strictly technical solution to a problem.
BT and KPMG advise, “Technology alone will only win battles. It won’t win the war. We must combine technology, people, and processes to stand a chance.”
Paul Wood, Bloomberg’s Chief Risk & Compliance Officer, who is quoted in the paper, agrees: “Policy should be combined with education and training as an ongoing process, not a one-off.”
Tip 4: Make Cybersecurity a Top–Down, Side-to-Side Pursuit
One of the common themes of the whitepaper is that cybersecurity needs to be an everyday, organization-wide thought process, not just something that is relegated to IT teams or that’s included as a twice-a-year line item in board-level discussions. It needs to be top-of-mind all the time, not only with your internal staff, but also those who touch and influence your business, like contractors, vendors, and all the personnel in your supply chain (such as cleaners, PR and legal agencies, and even cafeteria workers).
BT and KPMG caution against treating cybersecurity as a footnote to broader operational risks and strategy discussions, saying “Make cybersecurity something you always consider. Talk about it like you would any other business concern. If you can think of it as an everyday part of doing business, you can manage the fear and uncertainty much better. ”
This goes hand-in-hand with building a culture in which senior managers and executives lead by example. The whitepaper stresses the need to have CEOs and board members who champion cybersecurity efforts, saying that leaders need to “walk the talk.” The paper goes on to say the following about those who have progressed to being in the “true leadership” stage of the cybersecurity journey:
True leaders think differently about security. They see cybersecurity as an opportunity – a business unit, not a cost centre. They help implement new services, tracking and monitoring their security, continuously adapting their defences to deal with the changing threat. They develop metrics of security which resonate with the business, and give senior leaders appropriate confidence in the organisation’s security stance.
Most importantly, they realise that people are at the heart of security. It’s not just about teaching them, but about understanding them and their behaviour, so you can spot the unusual and the different.
As Christine Maxwell, BP’s Governance, Risk, and Compliance Director, stated, “Security it not a project, it is a journey.” For help in determining where you are on your journey, download your copy of the BT/KPMG whitepaper. And if you need a partner to help you build a culture of security, one in which your employees are given the knowledge and confidence they need to be a security asset rather than a security liability, know that we are always here to assist you.