CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.
There can be a tendency in organisations to relegate cybersecurity to an afterthought – an issue solely for the IT department to concern itself with. After all, the thinking goes, cybersecurity is just about computers, networks and software. Yet, in spite of rising investment in cybersecurity technology and solutions, organisations are sustaining higher losses from cyber-attacks. According to a 2020 survey by insurance firm Hiscox, companies in the US and Western Europe spent about 40% more money on cybersecurity over 2019, but they also reported a combined increase in losses from cyber incidents, from US$1.2B to US$1.8B. Effective cybersecurity depends not only on technology, but also people and processes. Any organisation that considers cybersecurity a primarily technical issue poses a fundamental risk to itself, because it is not taking into account the wider implications that cybersecurity has on core business assets and functions.
This issue of CyberSense makes the case that cybersecurity is more than a technical concern. It also suggests a few ways that cybersecurity can become a shared responsibility involving the whole organisation, including senior management’s endorsement and support.
WHAT MAKES CYBERSECURITY MORE THAN A TECHNICAL ISSUE?
Cybersecurity has become a mission-critical capability. The ability to maintain the confidentiality, integrity and availability of data has become a cornerstone of the modern economy. This is because all strategically important sectors, alongside a vast proportion of businesses, rely on digital systems to function smoothly. Accelerated digitalisation has also been driving greater connectivity between IT networks and operational technology (OT) systems that control physical processes, increasing inter-dependencies between business and operational functions. A high-profile incident earlier this year saw a cyber threat actor deploy ransomware to encrypt an organisation’s IT network. This in turn disabled components on the IT network that carried functions which affected OT systems, resulting in disruption of essential services. Shortages ensued, leading to disgruntled citizens, market fluctuations, and more than a few news headlines. At that point, it was the victim organisation’s senior management that was in the hot seat, not the IT department.
Cybersecurity involves strategic decisions on necessary trade-offs. This is because there is no such thing as absolute security across the board. No organisation has all the resources to fix every cybersecurity issue, and not all fixes are equally important. There will always be a need to prioritise and balance between security, usability and costs. Risks are therefore inevitable. How big an appetite the organisation has for them is a decision that the IT department cannot make. Nor would it be able to. It lacks visibility that senior management has of the overall picture and competing interests. As such, the buck stops with an organisation’s leaders. They have to be the ones to decide what trade-offs in security, productivity and profitability the organisation can afford to make. This makes cybersecurity a business management issue, not just a technical one.
WHAT CAN BE DONE TO MAKE CYBERSECURITY A SHARED RESPONSIBILITY?
Senior management must take an active interest in cybersecurity. Cybersecurity cannot be wholly delegated to the IT department alone, not because the IT department cannot be trusted to do a good job, but because the lack of strategic oversight can be costly. Minimally, senior management needs to know what the organisation’s crown jewels are, and see to it that resources are freed up and allocated for stronger defences of these important assets. What are the most critical systems in the organisation? What are the inter-dependencies that need to be taken into account? What is the worst-case scenario, and the contingency plan to manage it? These are just a few of the questions that senior management should seek clear answers to.
Technical staff play an important role in making cybersecurity more comprehensible. Translation of technical jargon into more accessible language is key to facilitating a common and better understanding across the board of the risks and threats confronting the organisation. Providing context and reframing cyber risks as business risks will also help. For example, simply stating the number of unpatched systems sheds little light. But highlighting business or operational implications that these unpatched systems may lead to can help senior management ask the right questions and make more informed decisions.
Cybersecurity has to be an organisational culture. According to Verizon Data Breach Investigation Report 2019, more than 90% of malware is delivered via email. Caution has to be the first line of defence, as cyber-attacks often exploit human behaviour, and do not always rely on technical vulnerabilities to succeed. Security-by-design calls for security to be built into every phase of a product’s development lifecycle. Likewise, cybersecurity must be baked into an organisation’s culture and permeate every level, from the most junior staff to the most senior leader. The goal is for every member of the staff and leadership to be aware of the cyber threats confronting the organisation, understand the responsibilities they each have towards cybersecurity, and possess the necessary motivation and knowledge to act on these responsibilities.
Enterprises can leverage CSA’s cybersecurity toolkits. The toolkits are tailored; each of them provides deeper understanding of cybersecurity issues and threats commensurate to one of these three groups: (i) enterprise leaders and owners of small-medium enterprises; (ii) employees; and (iii) enterprises’ IT teams. Using these toolkits, all three groups can adopt measures pertinent to their respective roles. The toolkit for enterprise leaders explains how upfront investment in cybersecurity is preferable to taking remedial actions when breaches occur, and provides a starting point for senior management to develop a cybersecurity strategy, work out its implementation approach and build a strong cybersecurity culture in the organisation. The toolkit for employees sets out how each person can exercise cyber safe behaviours in the work setting so as not to fall prey to cyber threat actors, and provides tips and good practices to raise employees’ cyber awareness. The toolkit for IT teams, which will be rolled out next year, will provide guidance on keeping enterprise IT systems safe, as well as useful technical tools.
A car’s bodywork and horsepower may get the lion’s share of attention, but brakes are never an afterthought. Likewise, cybersecurity should never be a peripheral matter amidst the complexities of running an organisation. Although the notion of cybersecurity as a management issue may not yet be as widely practised as it should be, increasingly impactful cyber incidents have served as timely reminders to do so. Elevating cybersecurity to its rightful role as a strategic enabler will put our companies and businesses on a far stronger footing to advance at full throttle in this digital economy.
Boston Consulting Group, Ernst & Young, Harvard Business Review, Hiscox Cyber Readiness Report 2020, Verizon Data Breach Investigation Report 2019