Cybersecurity - a hot potato?

Why does cybersecurity not get the attention it deserves in all organisations? There’s a range of reasons: over-exposure and therefore a fatigue to the topic, a lack of budget, “it’ll never happen to us” mentality, lack of sufficient knowledge and skills in-house and more. The common thread running through all of those topics is insufficient responsibility and accountability for cybersecurity at senior levels, combined with a lack of understanding and/or appreciation for the importance of good governance and control. Cybercrime is expected to hit revenues of $10.5 trillion by 2025, making it the third largest economy in world after the US and China. If you think taking serious steps towards a good cybersecurity posture is not required or can be left until later… think again.

Tone at the top

The organisations who are arguably more secure or, maybe better phrased as, proactively manage their cybersecurity risk, are those which have dedicated personnel to manage this day in and day out. Someone at the top to take accountability and drive a responsibility model across the organisation.

Dedicated roles and responsibilities for cybersecurity at senior levels encourages a secure ethos and culture in an organisation. The top-down approach is often overlooked and yet is a crucial cog in a never ending cycle of security. Dare I say, it’s one of the handles that drives the machine, rather than just an integral cog. Why do I think that? Well, because cybersecurity is an organisational responsibility. It’s not “IT’s problem”, those days are a distant memory. Every individual has a role to play in maintaining the security of their organisation. If senior individuals set great examples, perhaps through formal policy and procedure and leading by example, they can expect others to follow suit. When a positive precedence is set, it becomes a target for all others to achieve and maintain.

What’s does good governance and control look like and how does it start?

Cybersecurity can appear a daunting topic. It’s vast, covering things like disaster recovery planning, incident response management, secure configurations of apps, least privilege access administration, endpoint detection and response, vulnerability management, vendor due diligence… the list goes on. But, when you move past the scary topics of IT and the technical jargon, it soon becomes apparent that there are simpler first steps to be made. It doesn’t need to be the hot potato being thrown from one person to the next, scorching its next unsuspecting victim. Perhaps more a baked potato that can be feasted upon, enjoyed, and from which to obtain nourishment (would have preferred something more exciting than a baked potato - let your own imagination run wild!).

Implementing policies, for example, help drive the culture of an organisation. It holds people to account. It’s important that policies should be seen less as a ‘stick’ and more as a ‘carrot’. There shouldn’t be immediate and extensive reprimand for owning up to a mistake when clicking on a potentially malicious link - that doesn’t foster a positive cybersecurity culture. You need to turn those situations into positive, teachable moments. A mistake flagged early could be the difference between your organisation continuing to function seamlessly, and being on its knees at the hands of a cyber criminal. This is where the top-down approach can really help. Fostering a nurturing environment to take ownership of mistakes and see them as learning opportunities is the best place to be for any organisation.

Policies on best practice and acceptable behaviours when using organisational assets and technology (commonly referred to as Acceptable Use Policies) are a good start. Then expanding to policies like, passwords, backups and restores, change management, access administration, audit and event logging - soon a culture is forming for all to follow. Those are great first steps, and the journey should definitely not stop there, it’s only just begun. There are lots of tools and guidance readily available. The NCSC is a fantastic resource. Sometimes the difficulty can be finding the time to read it and implement it all.

Robust cybersecurity processes and controls require input from no less than HR, Board, Finance, IT, Procurement, and probably more. This further supports the fact it’s an organisation’s responsibility to foster a positive cybersecurity culture. The most successful organisations in the world have fantastic leadership with a vision that everyone has bought into. Cybersecurity should be an umbrella, protecting that entire vision on a rainy future of cyber crime.

Knowing where to start

Cybersecurity is seen as this behemoth task, an Everest to climb, an ultramarathon to run. It doesn’t have to all be tackled at once though. A few small steps here and there allow organisations to move in the right direction, ever improving their cybersecurity posture while slowly breaking down the huge cyber-blocker into more manageable chunks. 

If you’re looking to break off small chunks and tackle them one by one, you need to set goals and objectives which are achievable over time, not insurmountable. The below is like a mini-crash course and, to be clear, these are my own personal and professional views. There will be many other steps in between at a more granular level but feels like a good summary:

Step 1 - Make someone both responsible and accountable for cybersecurity at senior management and Board level, and empower them.

Step 2 - Identify and analyse the areas of the business which are most sensitive and most at risk.

Step 3 - Assess possible solutions to address the risk exposure, taking into account costs, expertise required, timeframes etc.

Step 4 - Allocate sufficient budget so that cybersecurity can be improved continuously, year-on-year.

Step 5 - Repeat steps 2, 3 and 4 annually at a minimum and soon after any significant organisational changes.

Lastly, if you’re unable to complete any or all of those steps in-house, seek support from someone you can trust and has the knowledge and experience (and battle scars to prove it - thankfully my many scars are not visible to the human eye!).