Commentators call on security industry to do more to help businesses understand the value of data and how best to protect it
Most businesses consider cyber security to be important, yet 44% do not have a formal cyber security strategy, a report has revealed, highlighting a failure to understand the value of data. Small, medium and large firms need to consider the best way to protect themselves against what might be the defining challenge for business, according to the report, published by the Institute of Directors (IoD) and Barclays.
“Government, too, needs to do more to point busy business leaders towards existing schemes and advice, and making schemes more relevant,” the report said. “Ultimately, however, this is a matter for business – in a digital economy, it’s the equivalent of installing a burglar alarm.”
The report, based on a survey of 844 IoD members in December 2016, also found that although respondents were aware of the threat presented by cyber crime, particularly on mobile and tablets, only just over half had protected all their devices, and less than one-third used virtual private networks (VPNs). In the event of an cyber attack, four out of 10 respondents said they would not know who to contact, which the report pointed out would become crucial for compliance with the EU General Data Protection Regulation (GDPR) from 25 May 2018, which introduces mandatory data breach notification.
Although two-thirds of responds said they had taken government advice to use a variety of passwords and a similar number used cloud software, only 44% had arranged cyber awareness training, and many left gaps of more than a year between training programmes.
“For centuries, society and banks have steered through unprecedented events,” said Troels Oerting, group chief information security officer at Barclays. “Cyber crime is another challenge, and it, too, can be managed by implementing a strong strategy built on resilience and intelligence.”
The report made it clear that senior leaders recognised the importance of cyber security, said John Madelin, CEO at security firm RelianceACSN.
“But beyond that, they have little clue how to approach the issue,” he said. “For some time now, it has become increasingly clear that the security industry lacks conviction, and has fundamentally failed to educate organisations in how to manage their security holistically.
“As a result, there is a complete lack of understanding about the value of intangible, digital information sitting within most organisations.”
Madelin said the information security industry needed to encourage a different approach to security, which is integrated, better executed and end-to-end.
“What is more, security needs to become a way of life for everyone in the organisation to ensure the vast amounts of data we are generating is protected, and that all employees are accountable for it,” he said. “Only through this can businesses protect their digital business, reputation and bottom line.”
Adam Brown, manager, security solutions at Synopsys, said the company had found in a recent survey at a global security conference that 73% of top security professionals thought it likely that their organisations would be hit by a major data breach in the next 12 months, but felt they would not have enough time, money or skilled staff to handle the crisis.
“Responses to cyber attacks can be hard to address without experienced specialists on hand, so the challenge is more than just knowing who to report the incident to,” he said. “Organisations need to be prepared for such breaches.”
Richard Brown, director channels & alliances in Europe, Middle East and Africa at Arbor Networks, said attack methodologies were evolving daily and, as such, it was no longer acceptable for businesses to be complacent about their cyber security strategy.
“Businesses must take the fight to cyber criminals with improved intelligence sharing and better co-operation with law enforcement,” he said. “Organisations should also instrument their internal networks so that they have broad and deep visibility of network traffic, threats and user behaviour.”
The report recommends that organisations:
- Understand what the GDPR means for their business and how they can prepare.
- Ensure directors and board members are trained on the business risks of cyber security.
- Run an attack simulation with senior management to ensure processes are robust.
- Ensure all staff have regular cyber awareness training.
- Regularly scrutinise cloud and server suppliers to ensure their processes are up to date.
- Investigate the need for cyber insurance.
- Incentivise employees to spot false invoices or emails.
- Encourage honesty when human errors have been made.
The report concluded that while business leaders were still putting cyber security on the back burner, which could be “catastrophic” for small to medium-sized firms, there were already numerous schemes and support bodies that provided high-quality advice. The report urged the business community to seek out this advice. “These are exciting times, but we must ensure we are secure while we push forward into the 21st century,” it said.
Author – Warwick Ashford