BT/KPMG Paper Calls on Business Leaders to Build a Culture of Security

There are members of the infosec community who continue to call for a technical-only solution to phishing prevention, one that cuts end users out of the equation entirely. And there likely always will be individuals seeking this Holy Grail. While we certainly can’t see into the future, we do know this: We fully expect technological advances to help with phishing, much like spam filters, sandboxing, and other technologies have over the years. But the trickle-down time and lag in adoption rates mean that no new technology will offer even close to an immediate fix to the problem. Waiting on technology to solve cybersecurity vulnerabilities and abandoning the idea that end users can be a better asset does nothing to advance security postures now.

We have long been advocates for not only implementing comprehensive, consistent, and continuous training programs, but also for building a top-down culture of security that puts an organization-wide emphasis on cybersecurity best practices. A recently published BT/KPMG whitepaper — Securing the digital enterprise: The cyber security journey – from denial to opportunity — echoes the benefits of that approach, and offers some excellent advice and practical tips that organizations can use as they progress on the often-perilous road that is end-user risk management.

Tip 1: Identify Where You Are on Your Journey

BT and KPMG postulate that, when it comes to cybersecurity, there are “five stages to the maturity journey”:

1. Denial (“It won’t happen to me”)
2. Worry (“Get as much security as possible”)
3. False confidence (“We’re ready”)
4. Hard lessons (“There’s no absolute security”)
5. True leadership (“We must work together”)

As the paper notes, organizations are likely to experience different challenges at each stage of their journey. It provides guidance on identifying your current status and makes the case for the importance of the exercise, saying, “Trying to run before you can walk wastes energy and resources, and it makes you a target not just for cybercriminals but for over-zealous cybersecurity salespeople.”

Tip 2: Make Sure Your Fundamentals Are Sound

The paper stresses the importance of having a good foundation for your cybersecurity efforts. It highlights key ways to “get the basics right”:

• Raising awareness
• Starting with good housekeeping (firewalls, anti-virus, patching, password security, and backups)
• Inventorying assets
• Making sure everyone has a responsibility for cybersecurity
• Training your people
• Being ready to respond
• Focusing on protecting your most sensitive information

Regardless of what stage you feel you may be in, it’s important to recognize that if your cybersecurity fundamentals aren’t sound, you are essentially at the beginning of your journey.

We surveyed 1,000 UK and 1,000 US end users about their cybersecurity habits and knowledge. Find out how their actions could be compromising your business.

Tip 3: Go Beyond Technology

The whitepaper does not undervalue the role of technology, but it stresses that technical safeguards are not the only defense you can — or should — employ in your war against cybercrime. The following passage highlights the example they give with regard to protecting against phishing and spear phishing attacks:

Everyone at every level in an organization is vulnerable to this type of attack. When a phish gets through your technology, your employees need to be able to recognise the danger. This is where education and awareness come in. You have to put in programmes to change your people’s behaviour and culture towards information and business security.

As we’ve said before, and the paper echoes, there is no absolute zero when it comes to risk — cybersecurity, or otherwise. And relying solely on technology to eliminate vulnerabilities is, ultimately, a losing proposition. After all, most (if not all) business-critical activities rely on a human component. Even technical solutions must be purchased and implemented and maintained by humans. And the simple fact is, even when we know the right technical answers to eliminate some vulnerabilities, they are not always implemented correctly.

Patch management is a great example of this. IT teams recognize that they should patch known vulnerabilities, but business drivers stand in the way of this at times (and the recent global ransomware infections have shown that decisions made based on these business drivers can be costly). Not everything related to technical security can be automated, so it is dangerous to ignore the human component and search for a strictly technical solution to a problem.

BT and KPMG advise, “Technology alone will only win battles. It won’t win the war. We must combine technology, people, and processes to stand a chance.”

Paul Wood, Bloomberg’s Chief Risk & Compliance Officer, who is quoted in the paper, agrees: “Policy should be combined with education and training as an ongoing process, not a one-off.”

Tip 4: Make Cybersecurity a Top–Down, Side-to-Side Pursuit

One of the common themes of the whitepaper is that cybersecurity needs to be an everyday, organization-wide thought process, not just something that is relegated to IT teams or that’s included as a twice-a-year line item in board-level discussions. It needs to be top-of-mind all the time, not only with your internal staff, but also those who touch and influence your business, like contractors, vendors, and all the personnel in your supply chain (such as cleaners, PR and legal agencies, and even cafeteria workers).

BT and KPMG caution against treating cybersecurity as a footnote to broader operational risks and strategy discussions, saying “Make cybersecurity something you always consider. Talk about it like you would any other business concern. If you can think of it as an everyday part of doing business, you can manage the fear and uncertainty much better. ”

This goes hand-in-hand with building a culture in which senior managers and executives lead by example. The whitepaper stresses the need to have CEOs and board members who champion cybersecurity efforts, saying that leaders need to “walk the talk.” The paper goes on to say the following about those who have progressed to being in the “true leadership” stage of the cybersecurity journey:

True leaders think differently about security. They see cybersecurity as an opportunity – a business unit, not a cost centre. They help implement new services, tracking and monitoring their security, continuously adapting their defences to deal with the changing threat. They develop metrics of security which resonate with the business, and give senior leaders appropriate confidence in the organisation’s security stance.

Most importantly, they realise that people are at the heart of security. It’s not just about teaching them, but about understanding them and their behaviour, so you can spot the unusual and the different.

As Christine Maxwell, BP’s Governance, Risk, and Compliance Director, stated, “Security it not a project, it is a journey.” For help in determining where you are on your journey, download your copy of the BT/KPMG whitepaper. And if you need a partner to help you build a culture of security, one in which your employees are given the knowledge and confidence they need to be a security asset rather than a security liability, know that we are always here to assist you.