The financial and reputational damage to a business that suffers a cybersecurity breach can be catastrophic. In today’s climate, we’re seeing retailers shed revenue, banks lose customers and, in extreme cases, small- to medium-sized businesses (SMBs) spiral into closure. Take LandMark White. The property valuation firm lost millions of dollars in revenue after a range of client data was inadvertently exposed through a public cloud storage resource and the company has since struggled with the ongoing financial and reputational ramifications.
As the cybersecurity threat landscape evolves, so too does the technology to combat it. Yet organisations still seem to be at risk. With a new breach making the headlines every week, it’s time business leaders question what drives a strong security posture and pinpoint exactly where vulnerabilities lie.
Cybersecurity is not just an ‘IT issue’
Research from Sophos shows that Australian cyber and information security decision-makers’ top three cybersecurity frustrations are business executives assuming cybersecurity is easy, cybersecurity frequently being relegated in priority and cybersecurity budgets being too low.
Further, 87% of these decision-makers believe the biggest challenge to their security in the next 24 months will be improving cybersecurity awareness and education among employees and leadership.
These findings indicate there is a wider corporate culture issue impacting cybersecurity. Business leaders must find a way to address these frustrations. They must shift their attitudes toward the value of cybersecurity – understanding that it’s not just an IT issue solved with tools, but rather a business imperative that requires the diligence and awareness of every employee and manager for the business to develop a strong cybersecurity posture.
While a strong cybersecurity posture is key to a business’s success, unfortunately, all too often, CIOs and CTOs are responsible for security in addition to their own tasks. In fact, in Australia, only 38% of organisations have a dedicated chief information security officer leading their cybersecurity strategy. Further, only one-third of businesses have a dedicated cybersecurity budget; in most cases, it’s included as part of other broader IT or departmental spend, severely undermining the output and resources needed to adequately secure a business. With IT and security resources spread thin and additional skills hard to find, business leaders must find a way to encourage organisational security from the top down.
Education is the first line of defence
According to the ‘Notifiable Data Breaches Quarterly Statistics Report’ for April to June 2019, 62% of data breaches were the result of a malicious or criminal attack, with 69.5% of the malicious attacks occurring in the form of malware, ransomware, hacking, phishing or brute-force. The prevalence of these types of attacks indicates that staff are not educated or aware of cybersecurity threats and what to look out for in their day-to-day online activities. What’s more, in the same report, 34% of eligible data breach notifications were attributed to human error.
Anyone with a computer in an organisation represents a vulnerability. Employees are the ones guarding the gates to a network, acting as the first line of defence. Leaving them uneducated on cyber threats is on par with running a marathon with no training.
Proactive security is essential and one of the key indicators of a mature cybersecurity program. Unfortunately, our research indicated management and the board only prioritised cybersecurity during active incidents. Business leaders need to take a proactive approach to their security posture and not wait until it’s too late to invest in critical cybersecurity controls and training.
It’s important for business leaders to understand that the success of an organisation’s cybersecurity investment lies in more than technology adoption. Business leaders must also support IT and cybersecurity leaders by cultivating a strong security culture, which begins with staff awareness and education.