Jonathan Wood, pictured, CEO of cyber risk management firm C2, covers four common mistakes that organisations need to overcome.
In a recent cyber report by The Department for Digital, Culture, Media & Sport (DCMS), 39 per cent of UK businesses said they had identified a cybersecurity attack in the past year. Headlines of this nature immediately peak my interest, with the trigger word being ‘identified’. For a cyber threat to be described as ‘identified’, it must be effectively discovered by an organisation. What this data does not show is the percentage of unidentified cyber threats, which, in my opinion, will be significantly greater than this figure. For example, cyber criminals will often conduct an initial breach of a company’s infrastructure, lying in wait to unleash their attack when the best opportunity emerges. As such, these organisations could be unknowingly vulnerable to an attack at any moment even if the threat has not yet been identified.
Familiar oversights
I have seen for myself that businesses of all sizes, across all industries, often have the best intentions when it comes to putting in place measures that protect themselves against cyber threats. And yet, they all seem to fall at the same common hurdles. From hurrying to digitalise too fast to failing to define who is responsible and accountable for enhancing security defences – these mistakes need addressing to best protect businesses from hackers and cyber-criminals. So, what’s going wrong? Here are four common cybersecurity mistakes that organisations need to overcome:
1.Undefined responsibility and accountability
This is particularly prevalent if an organisation is multidisciplinary – for example, those comprised of departments focused on manufacturing, customer service, distribution and so on. It is important to assign responsibility to a team or person, especially in larger corporations where the Board will not be directly involved in this work but should ultimately be accountable for all risk. A CISO or CSO should have the responsibility of developing a cybersecurity strategy that oversees an organisation’s cyber defences and avoids risks that leave a company open to potential attacks.
Within smaller companies, it might be the CEO or founder who is both responsible and accountable for managing cyber defences, either by themselves or through outsourcing to a third party.
2.Employee centred innovation
Harvard Business Review recently reported that 67 per cent of remote-workers surveyed do not fully adhere to cybersecurity policies – at least once every 10 days. Rather, workers believe rule breaks necessary to “to better accomplish tasks for my job” and “to help others get their work done”. To ensure compliance, business leaders must involve employees in the process of developing and testing policies, while recognising that many employee-driven breaches come from an attempt to balance security and productivity rather than from insider/malicious hacking efforts.
3.Financial crisis and its consequences
With UK consumers and businesses struggling with rising inflation, increasing costs of living, and potentially one of the most catastrophic recessions the country has ever seen, UK organisations are seeking areas to make fast savings, and this is not limited to tech. IT decision-makers will likely cut back on defences like end-point security, adopting a ‘nice to have’ approach rather than recognising the vulnerability introduced by remote/hybrid working and bring-your-own-device (BYOD) policies.
Security is not something to budget. The number of recent cyber-attacks highlight the importance of investing in long-term cybersecurity efforts. Without investment, the repercussions stretch as far as forcing an entire business closure to recover the money lost to a breach.
4.Hurrying to digitalise
The pandemic caused great hardship to many people around the world but a silver lining was the strong uptake in digitalisation. It was reported that across many sectors including manufacturing and fintech, the pandemic has acted as a catalyst for digitalisation, prompting new applications of existing technologies and vast new business opportunities.
However, additional devices and access points within an organisation expose more vulnerabilities. As such, it is incredibly risky to blend and/or move from legacy technology to SaaS applications or cloud infrastructure without a meticulous strategy and timeline in place.
At each phase of their digital transformation journey, project leaders need to evaluate and manage potential risks. This requires understanding and mitigating the threat presented by third-party vendors and their security processes.
From best intentions to reality
Cybercriminals are becoming increasingly efficient and business-like in the way they target and extort organisations. Recent examples like the LockBit ransom attack on The Royal Mail for example show the prevalent threat to organisations which now more than ever cannot afford to fall victim to these common and basic shortcomings.
My main suggestion for organisations under threat to those lurking in the cyber shadows? Be proactive. Don’t skip steps when it comes to assessing your cyber threat landscape and ensure the right policies and technology platforms are implemented to minimise your exposure to an attack.
About the author
Jonathan Wood is the CEO and founder of C2. He has over 20 years of experience in operational intelligence and cyber security including posts in the Royal Navy.
