Security and particularly cybersecurity has repeatedly reached the headlines in recent months. It has widely been acknowledged that there is an ongoing cybersecurity skills challenge which makes recruiting and retaining skilled professionals increasingly difficult, and in part, might be attributed to weaker security for some organisations. However, looking at cybersecurity more broadly, a fundamental question is – what does being secure really mean?
For some it has simply meant implementing a piece of technology or software which detects malware, though as the threat landscape has continued to evolve and become more sophisticated, this approach is no longer enough. It is essential to ensure basics are in place – indeed it is true that last year we found 7 out of 10 vulnerabilities identified reside on end user systems, though a “switch it on and leave” approach does not address this issue – in fact it could lull the user into a totally false sense of security.
Security needs to be a continuous discipline – taking a layered approach with technology and software might be sensible, though if it is not regularly patched, updated and managed, it could quickly be ineffective against evolving and persistent threats. It’s worth remembering although this is a simple control, properly maintained anti-virus does detect 40-50% of malware.
Training programs can also reinforce the continuous discipline of cybersecurity. It is important that these programs are action-oriented education. In other words, as a result of training, the behaviours within the organisation change. Our Risk:Value report, found that senior business leaders now have cybersecurity firmly on their agenda – though there are indicators to suggest the processes and education are still lagging behind. It is therefore important to recognise that everyone in an organisation has a role to play in keeping data secure from an attack. The findings suggests that training and education can help “shift the dial” in generating awareness and creating a sense of collective responsibility. Again, this is akin to getting the basics right – defining processes and best practice along with regular system updates to make a significant difference to the security of data.
Working with a trusted third party can also help – not only to combat any potential security skills shortages within the organisation, but also to take the vast amounts of threat data and put that in context for the customer. Finding a third party that has industry knowledge of the finance sector along with threat intelligence is a powerful combination. It means that actionable information is available to the customer to enable them to make risk based decisions that is both timely and relevant to their business.
Finally, good practice, education and processes must be underpinned by an active incident response plan. Our latest Global Threat Intelligence Report found that 77% of organisations are still underprepared to respond to security incidents should the worst happen. Prevention is of course still better than cure, however, should an organisation becomes subject to a breach or attack, a well-defined and articulated incident response plan will help minimise impact and disruption as part of a continuous cybersecurity and risk management approach.