We are all aware that securing our organisations people, assets and data is a fundamental requirement for all organisations today. But when you highlight that more than ¾ of consumers agree that security is a high priority when choosing an organisation to buy services from, it takes on a more dynamic perspective.
While there is a clear necessity for companies to secure and protect their environment from a reputational and operational risk perspective, there is also an opportunity to enhance customer retention and even attract new customers concerned about the privacy and safety of their data.
The Cyber Security Report from 2019 highlighted that a ransomware attack occurs every 14 seconds , security breaches are up 11% from 2018, 57% of attacks are on larger organisations, 48% of UK manufacturers are cybercrime targets.
Of the breaches we know about: 1.5 billion Indian citizens exposed in Aadhar data breach, 1.16 billion email addresses and passwords exposed in Collection 1 data breach in 2019, 540 million Facebook users exposed through AWS S3 storage buckets, Marriott breach exposes 500 million user accounts….and the list goes on.
You will notice that no sector is immune as government bodies, social platforms and consumer brands are targeted and exposed with worryingly regular occurrence. The size of these organisations, the number of digital services offered and for some their connectivity to legacy infrastructure leaves them wide open to vulnerabilities being exploited.
On the flip side organisations are dedicating substantial amounts of their capital on mitigating vulnerabilities and are mainly more cyber-resilient than smaller organisations. This puts these larger organisations in a strong position to push that resilience and the trust it engenders as a market differentiator, creating potential USPs around security, authentication and data protection.
Where’s the threat?
Most cyber-attacks are performed by three types of perpetrator: hacktivists, criminal organisations and governments. All three are likely to launch Denial Of Service (DOS) attacks, exploit technical vulnerabilities to extract data, orchestrate phishing scams for financial gain or simply siphon money straight from one place to another to swell their own coffers.
However, a substantial proportion of breaches still begin from within the organisation – either through disgruntled employees or the lack of appropriate controls, processes and awareness, with insecure devices connecting to networks.
Although perimeter controls are obviously important and form a large part of investment in cyber-attack prevention, equal attention should be given to shoring up internal vulnerabilities and minimising the impact of a breach. Also, with the move for more services outside the traditional secured perimeter to cloud services accessed over public internet the focus for layered defence is critical.
It is no longer a case of if your organisation will be breached but when, and planning for that eventuality is critical to minimising reputational and operational impact.
More threats, greater scope
Recent years have also witnessed an increase in the scope and scale of protection requirements. Growing use of third party suppliers, cloud services and workforce working habits add to the pressure of new regulatory demands such as GDPR, DPA, Consumer Contract Regulations and Privacy and Electronic Comms Directive. The result is a challenging task for organisations to implement controls to protect an organisation and their customer data assets. With limited budgets and resources, it is imperative that security investments are made based on business requirements, risk appetite, likelihood of impact and assessment of key vulnerabilities. There is no ‘one size fits all’.
Who’s in charge?
In most major enterprises, the role of data and systems protection generally sits with the Compliance or IT teams as, rightly or wrongly, this is where most vulnerabilities are perceived to lie. Although seen as a board level risk, cyber security is generally left to the specialists and that generally means the CIO/CISO and their team.
However, for security prevention to be truly effective (particularly for GDPR), security needs to break traditional boundaries and be embedded throughout an organisation and beyond to partners and suppliers.
Security needs to be linked directly with the business itself, going beyond the compliance mandate to make it a core value that it is every employees’ responsibility. Embedding security practices through mandatory cyber-security training as part of the on-boarding process is one solution. This should cover information security practices, phishing scams, data privacy awareness, etc.
Security should also be woven into the fabric of all roles through performance management or mandating that all employees are accredited once a year. IT leaders need to be vigilant in their duty around cyber security and educate their peers and board members of the importance of understanding persistent threats, addressing security skills shortage and mitigating breach impacts.
For all CISOs, security is a holistic activity. Paul Swarbrick an award-winning CISO says: “It’s a big mistake to think of security as tin and wires, anti-virus and firewalls. Security is a holistic process that touches on absolutely everything.”
From a Peru Consulting perspective, we break this process into a number of discrete areas:
- Technology – Knowing the current IT estate; identifying key data and applications; understanding the main vulnerabilities, assessing their impact and developing an appropriate response. Addressing these elements will provide a clearer picture of the security investment priorities. Additionally, ensuring the right testing strategies are in place across the estate, with patch management and quality assurance, will reduce risk and deliver certainty. Surprisingly, more than 30% of senior technology leader respondents in our recent research believed that data recovery processes were not tested on a regular basis.
- Architecture – Appropriate security governance processes covering security principles, requirements and risk models should be embedded within the organisation. These will help inform investment decisions on the optimum tactical and strategic technologies, which to divest and, crucially, in assessing application resilience. In essence, this answers the questions: “How long will our investments stand up to current and persistent threat? What is the ROI of shoring up existing investments vs investing in more secure and stable architecture now?”
- People and skills – Investing in small teams of security experts covering core areas such as security strategy and cyber response whilst outsourcing the more commoditised areas such as the Security Operations Centre (SOC), vulnerability management, environment scanning, etc. This approach has pros and cons, but finding the appropriate skills remains a persistent challenge for the retail banking sector and IT in general. If outsourcing is the preferred route, it’s essential to develop an effective sourcing strategy and regularly review the benefits of every relationship.
- Sourcing – Reviewing existing third party contracts for responsibilities and accountabilities (especially in light of new regulations) will protect unnecessary organisational risk. Assessing supplier compliance regarding the bank’s specific security needs will help nurture stronger and more transparent relationships.
Everybody, all the time
If you take just one thought away from reading this article it should be that “Security is everybody’s objective – good management, user education and governance can help mitigate security risks.”
Whatever approach is taken, a new way of thinking about organisational security is needed: not just as something that affects IT and Compliance departments alone, but as a cultural shift across all aspects of the organisation. All companies that look after customer data have a duty of care to protect not only their own data but that of their customers as well and this has to be balanced with delivering engaging customer experiences.
Investment in secure technology, appropriate internal processes and controls, securing the right skills and people and embedding security governance into organisational architecture not only mitigates risks and protects the business, but will help attract and retain customers through loyalty to, and dependability on, the brand.