eBook - ePub

Managing Cybersecurity Risk

Name: Managing Cybersecurity Risk
Author: Jonathan Reuvid, Jonathan Reuvid

Cases Studies and Solutions

Jonathan Reuvid, Jonathan Reuvid

Share book

250 pages
English
ePUB (mobile friendly)
Available on iOS & Android

eBook - ePub

Managing Cybersecurity Risk

Cases Studies and Solutions

Jonathan Reuvid, Jonathan Reuvid

Book details

Book preview

Table of contents

Citations

About This Book

The first edition, published November 2016, was targeted at the directors and senior managers of SMEs and larger organisations that have not yet paid sufficient attention to cybersecurity and possibly did not appreciate the scale or severity of permanent risk to their businesses.
The book was an important wake-up call and primer and proved a significant success, including wide global reach and diverse additional use of the chapter content through media outlets.
The new edition, targeted at a similar readership, will provide more detailed information about the cybersecurity environment and specific threats. It will offer advice on the resources available to build defences and the selection of tools and managed services to achieve enhanced security at acceptable cost. A content sharing partnership has been agreed with major technology provider Alien Vault and the 2017 edition will be a larger book of approximately 250 pages.

Frequently asked questions

How do I cancel my subscription?

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

Can/how do I download books?

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

What is the difference between the pricing plans?

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

What is Perlego?

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Do you support text-to-speech?

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Is Managing Cybersecurity Risk an online PDF/ePUB?

Yes, you can access Managing Cybersecurity Risk by Jonathan Reuvid, Jonathan Reuvid in PDF and/or ePUB format, as well as other popular books in Informatica & Sicurezza informatica. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Legend Business

Year

2018

ISBN

9781787198906

Edition

Topic

Informatica

Subtopic

Sicurezza informatica

Part One

Cybersecurity in the Information Age

1.1 BUILDING BUSINESS RESILIENCE

Nick Wilding, AXELOS RESILIA

INTRODUCTION

This chapter contends that a missing key in the creation and growth of a truly cyberresilient organisational culture lies in building a vigilant and resilient workforce through effective awareness learning for all.

KEYWORDS are: cyber security, cyber resilience, resilient workforce, storytelling, boardroom engagement.

THE NATURE OF THE CHALLENGE

Baroness Dido Harding, the outgoing CEO of TalkTalk, called cybercrime ‘the crime of our generation’ when she was thrust into the media gaze following their high-profile breach in October 2015. Her experience is by no means unique — the threat we all face is real and relentless.

Symantec, in their ‘Internet Security Threat Report’ published in April 2016, noted that they had:

‘…discovered more than 430 million unique new pieces of malware in 2015, up 36 percent from the year before. Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we’ve become numb to the sheer volume and acceleration of cyber threats.’¹

This ‘numbness’ is echoed in research carried out by the National Institute of Standards and Technology (NIST)² in the US. They assessed perceptions and beliefs about cybersecurity and online privacy, and identified that people are increasingly desensitised to constant reminders about cyber risks. One of the research respondents, an ‘average technology user’, commented:

‘I don’t pay any attention to those things any more … people get weary of being bombarded by “watch out for this or watch out for that”.’

SECURITY FATIGUE

The last quote highlights the difficulties we face in moving beyond the frustration, weariness and ‘security fatigue’ many of us feel from the bombardment of messages about the dangers lurking online.

The NIST research found that many of us often feel out of control or resigned to doing nothing about online security. Now, take these attitudes into the workplace and organisations are faced with a real dilemma. The reality is that cyber attackers often find it easier to communicate with, engage and influence the behaviours of our staff than we do. Technology is not the only answer — just a part of it. In 2015, Tom Farley, President of the New York Stock Exchange, said in his introduction to ‘Navigating the Digital Age: The Definitive Cybersecurity Guide for Directors and Officers’:

‘It is important companies remain vigilant, taking steps to proactively and intelligently address cybersecurity risks within their organisations. Beyond the technological solutions developed to defend and combat breaches, we can accomplish even more through better training, awareness and insight into human behaviour. Confidence, after all, is not a measure of technological systems, but of the people who are entrusted to manage them.’

THE HUMAN FACTOR

But there’s a huge challenge here — one which was starkly highlighted in Verizon’s 2015 Data Breach Investigations Report:³ the great majority — estimated to be 90 per cent — of successful cyberattacks succeed because of human error. That means anyone in any organisation, irrespective of their role or seniority, can enable an attack to succeed through their unwitting actions. Jim Baines, the apocryphal CEO whom I cite in Chapter 5.1, couldn’t agree more:

‘Unwitting is the point. Some of my friends say “witless” but that’s another matter. The point is, we were complacent. We thought it was a technical not a human issue. But it’s all about the human.’

Because most organisations don’t think this way, the cyber attackers will always have the upper hand. They only need to be successful once in their relentless targeting of our human vulnerabilities, whereas we must maintain constant vigilance. In Jim’s case, he was sent an email purporting to be from someone he’d met at a corporate golf event. The email offered pictures of his achievements on the fairway. He opened it on his business laptop and thought nothing of it. The names used were all familiar; one was from his distant past. It all seemed to make sense. But the attachment contained malware that infected the systems of Baines Packaging. Jim happened to be putting together a presentation for one of his major clients, a huge food conglomerate, and he put the presentation on a flash drive, went to a meeting and handed it to his contact — an old friend — who then infected that company’s systems. A chain reaction began. Jim’s entire livelihood was compromised.

That chain of events powerfully illustrates why we all — from the boardroom to the engine room and beyond — have a specific role to play in protecting our most precious information and assets. If an organisation’s people represent its greatest vulnerability, then it follows they can also be its most important and cost-effective defence against attacks. I would suggest that we’re at a crossroads in our collective corporate response to the cyber risks we all face: one where many will continue to invest in more technology and expect that multiple layers of technical defence will suffice. Another group – the market leaders, pioneers and innovators, but increasingly the ‘just plain sensible’ – will change direction and embrace an enterprise-wide approach, led from the top, which uses new methods to engage and openly reward good cyber behaviours, from top to bottom.

On the road taken by this group, storytelling and the business language used will play a vital role in an adaptive and open approach to learning. It’s these firms that also understand that cyber resilience will become a key market differentiator for asserting competitive advantage as customers, partners and — let us not forget — regulators (particularly with the General Data Protection Regulation [GDPR] coming into effect in March 2018) increasingly demand demonstrable proof that their most precious information is being kept safe and secure.

Many firms also increasingly understand that their cyber risks need to be managed in balance with the immense opportunities for operational transformation, innovation and efficiency that digital technologies now offer. As Daniel Dobrygowski, the Global Leadership Fellow for the IT industry at the World Economic Forum, said in January 2017:

‘Cyber risk is a systemic challenge and cyber resilience is a public good. Without security and resilience in our networks, it will be impossible to safely take advantage of the innumerable opportunities that the Fourth Industrial Revolution is poised to offer. Responsible and innovative leaders, therefore, are seeking ways to deal with these risks.’⁴

Storytelling plays an important role in responding to this systemic challenge; stories spark emotions, and they help people to remember information.

YOUR STRONGEST DEFENCE

Mostly, cybersecurity is communicated within organisations as a set of statistics and data about the latest threats, the changing techniques adopted by cyber attackers and the number of events and incidents experienced. As a method of bringing about systemic and cultural change, this is a flawed approach.

I believe that the opportunity is clear: staff are not, as is so often lazily reported, ‘our weakest link’. They are instead our most powerful and effective defence against attacks and only as ‘weak’ as the strength of the awareness training we give them. But does this training engage? Is it relevant and relatable to the learner? Does it provide simple, practical guidance? Is it focused on giving them the confidence to change their existing behaviours and to discuss incidents with their colleagues? Does it tell a strong story about what ‘good’ looks like?

The sad truth is that most organisations continue to educate their people with an annual information security awareness e-learning exercise. It can take over an hour to complete and typically ignores some basic rules for effective learning. With cyber attacks relentlessly targeting and threatening our most sensitive and valuable information, forgetting, sadly, is no longer an option. Ignorance isn’t a defence anymore. The risks and potential impacts are too great.

In this vital area of staff training and development, one size doesn’t fit all. The current ‘all staff, once a year’ approach simply does not influence or sustain long-term behavioural change. At best, it reminds us of some essentials; at worst, it’s treated as a necessary evil, a distraction, and something to be completed as quickly as possible.

Annual e-learning will not instil and sustain the cyber-resilient behaviours that employees need today. We’re trying to ‘programme’ our people in the same way we programme computers: to do certain things, in defined ways, at certain times. This approach doesn’t work with human beings.

During January 2016, AXELOS RESILIA, with IPSOS Mori⁵, carried out research among those responsible for information security awareness learning in their organisations. We wanted to find out how well prepared members of the UK’s workforce were for a cyber attack in the companies they work for. The results were sobering.

While it was positive to note that 99 per cent of business executives responsible for cyber awareness learning said that information security awareness learning was ‘important to minimise the risk of security breaches’, less than a third (28 per cent) judged their organisation’s cybersecurity awareness learning as ‘very effective’ at changing staff behaviour.

A similar minority (32 per cent) were ‘very confident’ that the learning was relevant to their staff, while 62 per cent were only ‘fairly confident’. This comparatively low level of corporate confidence in the ability of people to deal with a cyber attack is simply not good enough in an era where cybercrime has become ‘business as usual’. It reflects either a lack of understanding or a state of denial about the impact that a successful cyber attack can have on a business.

Organisations cannot continue to accept this low level of employee awareness and competence in the face of sophisticated cybercriminals who are constantly adapting their methods. Imagine how your customers would respond if told, ‘We’re fairly confident that your confidential information is safe from attack’. Equally, a report to a board of directors that the level of confidence in the organisation’s information security awareness is only ‘fair’ would provoke some serious alarm. If company boards are not asking questions about the current effectiveness of their awareness learning programme and what is being done to improve their organisational cyber resilience, then they should be. Now!

AWARENESS TRAINING

What determines the capability and performance of employees is the relevance and effectiveness of the training they’re provided with and the behaviours they adopt as a result.

What needs to be understood is that we all learn differently and at different speeds. We need to offer awareness training that provides our people with multiple approaches that appeal to the widest possible spectrum. This way, they are far more likely to have the confidence to share and discuss experiences, to get proactively involved in their own learning, to champion resilience to others and to continuously learn and adapt. That’s why the picture painted by our research suggests that the current annual compliance-based approach, which is still relied upon by most organisations, is failing.

The same challenges are being faced in the boardroom. The impact of a major attack can be catastrophic and the boards of many high-profile global brands have already felt the reputational and financial damage that can ensue. Many more continue to struggle to properly understand what they can do to address this and what good cyber resilience looks like for them.