Prioritise security, test your policies and make GDPR part of your business as usual
It is a particularly interesting time in history to be thinking about cyber security and how to protect your business from emerging threats. Over the last year cyber issues have asserted their prominence in the public eye. With big breaches, such as the 50m Facebook accounts recently exposed by a system flaw, hitting the headlines with alarming frequency and new regulations such as GDPR in operation - organisations and individuals alike are being forced to spend some time reflecting on the whereabouts of their data.
In our Cyber Ready Barometer report we spoke to around 1500 businesses across 9 countries, and discovered only one in four businesses had robust enough security in place to be considered ‘Cyber Ready’. We define Cyber Readiness as being able to effectively secure their business and continue to operate in the face of the range of threats and challenges. Furthermore, we found out that a concerning 14% are currently very unprepared to handle the current threat environment. We didn’t just speak to business decision-makers either, we extended the conversation to over 3000 employees and consumers as well, uncovering some fascinating insights into what is actually going on inside businesses and exposing a stark disconnect between employers and their employees when it comes to security.
While connecting exponentially more people, places and things is having hugely positive effects on efficiency and collaboration within businesses, these developments are exposing some shortcomings in the vital human aspect of security. As businesses strive to reap the benefits of digital transformation, are bad habits or practices from the past threatening their future? In a previous blog, we pointed out some of the new types of attack coming our way, but how ready are businesses today to face them? How can they up their game at this important moment in history, to better protect themselves and their customers – becoming truly Cyber Ready? Here are three areas of focus all security leaders should consider.
1. Prioritise security and reap the rewards
In the era of digitalisation, security must be a top priority. It’s not enough to do the bare minimum and it’s certainly not a box-ticking exercise. The cybercrime industry has skyrocketed in value and has long since overtaken the global drugs trade: data is invaluable, it’s everywhere, and criminals want it. With so much at risk, protecting data can’t be a task for the IT team alone anymore, it must be a company-wide effort. EUROPOL’s latest Internet Organised Crime Report (IOCTA 2018) confirms that the sophistication of Organised Crime Groups (OCGs) is still on the rise, and they are increasingly targeting small businesses as well as large. If organisations and their employees are struggling with current threats, how are they going to keep up with this rapidly evolving threat environment? They must prioritise security in every element of the business.
To keep up with highly-adaptable OCGs, security functions in businesses must become more flexible. However, this flexibility is often constrained by tight budgets and lack of prioritisation. Our Cyber Ready Barometer research did find that the proportion of IT-budgets focused on security is increasing, driven principally by increasing security threats (55% of respondents), minimising risks to reputation (43%) and the greater use of cloud (43%). However, with only 29% of businesses feeling ready for the future, it’s clear there’s still work to be done. Failure to prioritise security increases the risk of a breach, which will be accompanied by large fines, compensation claims and reputational damage. The average data breach is costing organisations in the region of $3.86 million globally according to research conducted by the Poneman Institute.
Interestingly, there is an added opportunity cost for those business that overlook security. Our research found a strong correlation between high levels of Cyber Readiness and achieving positive business outcomes and competitive advantage. Consumers ARE willing to pay more if you can ensure their data will be secure - so invest, be flexible, and make sure you can deliver.
Cyber Ready businesses also exhibited a high degree of trust from stakeholders (an average of 4.3/5), and 47% reported annual revenue increases of more than 5% in the last year. Businesses classed as having Advanced readiness levels (the top 5% of all businesses surveyed measured on the Cyber Ready Index) excelled further, achieving even higher stakeholder trust (4.8/5), and 58% experienced revenue growth of over 5%. Conversely, organisations rated as having Basic Cyber Readiness (the lowest classification) saw lower stakeholder trust, on average of 3.1, while only 22% reported 5% revenue growth. Here lies an opportunity for firms to take advantage of security’s newly found prominence in the press and create a compelling business case for investment.
2. Put the right security policies in place and enshrine security into your culture
Once you have prioritised security and are dedicating the required level of resources, you can begin to put the right set of security policies in place to deal with new threats. A survey by the Department of Culture, Media and Sport (The Cyber Security Breaches Survey 2017) showed that 26% of business leaders lack the awareness of what to do when a security incident occurs, who to report it to and why they should report it. There are a number of frameworks that are a clear starting point, for example the Cyber Essentials/Cyber Essentials Plus in the UK. Putting clear policies in place and ensuring every employee knows what to do in the event of a breach can hugely mitigate the impact, so why are so many business leaders still in the dark?
It doesn’t stop at simply having the right policies, because if your staff don’t know about them or follow them, they’re effectively worthless. The Vodafone Cyber Ready Barometer research highlighted a worrying disconnect between business and employee views of working practices and behaviours. We found that less than half of employees reported that official policy is followed by all staff, and 42% of employers stated that information security is just a box-ticking exercise. Great news for hackers, terrible news for businesses and customers.
Furthermore, research by IronScales showed that phishing scams account for up to 95% of successful cyberattacks worldwide. Are your staff trained to spot them? Worryingly, many businesses still see it as a one-off fix, but phishing attacks are becoming so sophisticated and their consequences so drastic, that employees now need continuous training to keep up and spot new types of scam. It’s time businesses started testing their own employees and enshrining security into their culture. Imitate these emails, test the percentage of the workforce that report them as suspicious, and punish common offenders.
There are some great frameworks and industry guidance complimented by training courses and certifications that can help in this respect, so make sure you use them, such as Infosecurity’s Top 10 Ways to Detect Phishing.
3. Take GDPR seriously and make it part of your BAU activities
After years of discussion and debate, GDPR finally landed and now serves to protect the data of EU data subjects (citizens) world-wide. While it’s not going to solve the problem in a day, it is a step in the right direction to change the way organisations think about their customers’ data. We’ve spent the last thirty years embracing technology and revelling in its benefits, without taking a conscious look at where our data is, what it’s being used for, and how protected it is. GDPR is this conscious step back. Take the new regulation seriously and take stock of the data you have of your customers. Only then will you be on your way to being able to protect it. It’s essential to ensure continual GDPR compliance and improvements are part of your Business as Usual activities.
To summarise, change is on the horizon: governments and organisations are beginning to understand the seriousness (and scale) of the threats, and new legislation is putting pressure on them to comply. Everyone in an organisation from sales to marketing to technical personnel are being forced to take responsibility for security. However, it isn’t going to be an easy transformation until cyber security is given the priority it requires. Far too many employees and business leaders don’t understand the threats themselves, nor what to do if they materialise, and with only 24% of businesses are Cyber Ready there is clearly work to be done.
Security functions need to take some lessons from the hackers themselves and become tech-savvy and flexible enough to adapt to new technology and an evolving threat environment. Only then will we be able to win the race. So truly prioritise security, get the right policies in place, and continually educate your workforce – three big tasks but critical to secure your business against the next-generation of threats.