Analysis: Educate the right people, for the right threat.
TalkTalk’s mega breach has made headlines all over the world, and the incident seems to have shaken British executives’ cybersecurity priorities.
However, Andy Herrington, head of cyber professional services at Fujitsu, said in an exclusive roundtable attended by CBR that companies need to plan for different scenarios.
"It is not just about entity management, but about resilience. This can help create true economies of cyber. Plan to change the plan.
He also said that since TalkTalk’s breach, "we have had more senior conversation [around security]". "The conversation has changed for the better in the UK."
His thoughts came after a Fujitsu report that has found that despite security breaches costing businesses an average of £1.46m – £3.14m last year, financial loss is still not a top priority for IT decision makers.
Over half of the IT decision makers spend less than a quarter of their IT budget on security. Conversely, 86% of IT decision makers rated security as the most important to their business.
Herrington said: "When we say UK IT decision makers do not prioritise their budget for security, I would even say this is a budget for trust.
"I think [investment in security] will change next year. We, as an industry, need to change and help with this. By making security decisions based on finance, rather than on the technology required, businesses are making themselves vulnerable.
"Looking at each phase of the cyber kill chain is one way of putting yourself in a better position against hackers."
The report also highlights how CIOs are more concerned with the loss of sensitive data following the huge rise in advanced threats over the last year.
However, Herrington said that risk taking executives are the worst to talk security to. "Executives are the best to do business, but the worst to talk security to, because they are risk takers. Do not try to re-educate executives, target the Pas, they can still protect executive."
Also part of the panel was Mike Smart, EMEA security strategist at Proofpoint. He said: "We are seeing the market moving to advance protection against threats. Cybercriminals are profit-driven businesses and are ruthless in their drive for high return on their investments."
People key to fight cyber threats
In order to fight back against these threats, both Herrington and Smart agreed that companies need to prioritise training and education.
Herrington said: "What are we doing about people training? Awareness training can be sometimes just a box ticking exercise. [We need to] engage different parts of the organisation.
"Educate the right people for the right threat. Take the skills shortage right on the nose and educate the right people.
"Know which people to include when something happens."
According to the Fujitsu’s research, security teams average at between eight to ten people per organisation – a huge investment in people to protect the business from threats.
Smart backed Herrington saying that businesses need to build resilience. "Look at the people, do we have enough staff to cover it [a cyber threat]?"
He also highlighted that while everyone has a plan that is tested on a regular basis – like fire responses for instance – "cyber is not".
4 main threats to businesses
While it is important to know how to fight against hackers, it is equally important that organisations understand the nature of a security threat.
Herrington said: "The internet is now one big application of the cloud, and we are only scratching the surface of what this can do. It is only 20-years-old.
"I foresee a world where with cloud applications humans do not have to interact, they just consume.
"Good hygiene in your system is quite cheap compared to the cost of responding to an eventuality, like TalkTalk."
With this, Herrington introduced a concept which simplifies threats into four main categories: internal malicious, internal non-malicious, external malicious and internal malicious.
He said: "Most problems occur within the internal non-malicious spectrum [when someone is trying to carry out a job within their company’s IT system, and something goes wrong].
"The TalkTalk hack, for example, sits in the external malicious, which affects everyone. This all requires a different profile of response.
"Technology should be our slave, not the other way round."