First the good news: The days of C-suites largely relegating cybersecurity to their IT departments have mostly disappeared. Today, most have highly seasoned CISOs on board, and increasingly they report to the CEO, not the CIO. Plus, with the help of widespread training, much of the organization now practices cybersecurity hygiene, and employees and their superiors overall are doing a pretty good job.
In a nutshell, organizations are attending to the three Ps—patches, people and passwords—more than ever.
Now the bad news: Many enterprises need to do better still to minimize cyber-breaches—and they know it. According to a recent study from Nominet, 90% of C-suite members think their organization still lacks the proper resources to defend against a cyberattack and 76% think a security breach remains inevitable.
This isn’t merely a matter of opinion, either. Another study by Accenture highlights large gaps among corporations in cybersecurity resilience. One troubling finding in the survey of more than 1,400 C-suite executives is that only 40% placed a high priority on creating or expanding an insider threat program. This suggests that too many top corporate executives aren’t as concerned as they should be about one of the most common security threats.
Forty percent of those polled also said they always conferred with their business unit leaders to understand the business before suggesting a security approach, indicating inadequate ongoing communication. Moreover, while 73% of those surveyed said that cybersecurity activities and staff must be distributed throughout the organization, 74% concede that cybersecurity efforts nonetheless are mostly centralized.
What is not as significant—but particularly ironic—is that C-level executives are 12 times more likely to be a target of a social engineering phishing campaign, according to Verizon's 2019 Data Breach Investigations Report. This is especially concerning. Executives have access to critical business systems and processes within the organization. If an executive is compromised, everything they have access to may be open to compromise as well.
In fairness, maximizing security effectiveness at a sizable corporation is no small affair.
The attack surface is gargantuan. A typical enterprise has a huge and diverse array of assets to be protected, including applications, managed and unmanaged endpoints (fixed and mobile), IoTs and cloud services. Bear in mind that each Internet-facing element can be attacked in hundreds of ways. Users can be phished. Weak passwords, software vulnerabilities, misconfigurations and numerous other vectors can be leveraged to compromise some enterprise assets and gain an initial foothold inside your network.
Once inside, an adversary may be able to rapidly move across the enterprise and compromise some important assets—and hence accomplish a breach.
Clearly, maximizing the effectiveness of cybersecurity inside an enterprise is a serious and chronically evolving enterprise—and one that must be done and re-done.
There are a number of tactical security measures that corporations can improve upon, but perhaps most important is the need to better address increasing risks from the inside, not the outside—from both unintentional employee negligence and intentional employee theft. According to the 2018 Insider Threat Report, 66% of surveyed organizations consider malicious insider attacks of accidental breaches more likely than external attacks.
Here are additional steps that need to be taken:
• Board members with no special expertise in cybersecurity should be persuaded to learn more about it and to take pains not to disclose passwords, accounts numbers or other critical data to the sender of an unexpected email. Directors who know too little may become a weak link in a company’s security systems.
• Take pains to convince even more cybersmart board members to become as cyber-knowledgeable as possible. Companies with boards with a high level of engagement in information security typically rate much higher than other companies in most facets of information best practices.
• Remember that people, as well as policies, are key to an effective security program. Security policies are best supported with training programs and communications for employees. In short, organizations should strengthen their focus on promoting a culture of security policy compliance.
• Make a point of enhancing the management of vendor risk. This has become more important as the number of external data-management vendors increases, alongside the growing use of cloud-based storage. Sizable gaps now exist between top-performing organizations and other companies in terms of overall knowledge of vendors’ data security management programs and procedures. These areas frequently stand between an organization’s crown jewels and cyberattackers.
• Cybersecurity leaders should make sure they attach cybersecurity needs to business requirements. Too often, they have difficulty quantifying the risk of financial loss if select measures are not taken and presented in a way that aligns with business goals.
A member of the security team, for example, might need to explain to the C-suite why an organization should purchase a new encryption service. He or she shouldn’t merely say that it could save the company down the road. They should also point to industry statistics to back up the contention and spell out what a cyberthreat could cost the organization, including costs around incident response, potential fines and lost customers.
• Stay ahead of the curve. Today’s evolving cyberthreats require a new way of thinking. Companies need to adopt practices that don’t affect their workflow and don’t disrupt the actual business in any way. As much as possible, look at what universities, incubators and startups are producing. They are often the best sources for cybersecurity solutions and talent. Hire the expertise you need from this pool, and make sure your team is evolving with the threats.
• When a member of the security team is asked to address the C-suite, impress upon him or her to get to the point quickly. If too much information is presented at once, C-suite executives might overlook key details. It rests on the cybersecurity point person to provide just enough information to show the impact, intentionally leaving out extremely technical jargon and non-essential graphs and charts.
The Japanese are famous for “Kaizen”—the continuous improvement of manufacturing and other business activities. But they are not alone; many American businesspeople also embrace this concept. And it absolutely applies to enterprise cybersecurity as much as anything else.