The responsibility of securing the business falls with IT alone.
Whilst digital transformation and strategic IT initiatives are a priority for businesses across industries, IT teams have long struggled to get the attention of the board when it comes to securing the role out of such initiatives.
Technological developments such as IoT, cloud and big data may be necessary for business growth, however, they also present a myriad of new and unchartered security challenges, which require collaboration between all departments, if they are to be overcome.
The threat to businesses is very real, and is only getting worse. Gartner predicts that 60% of digital businesses will suffer major failures due to the inability of security teams to manage digital risk.
Companies of all sizes and in almost every sector are now finding themselves a target for cyber criminals. In fact, our recent Global Enterprise Security Survey found that 85% of respondents had suffered a breach in the past two years, with almost half reporting a malware or ransomware attack.
Worryingly, the board only takes action in 93% of cases, after a breach has occurred. This means that the rest of the time, the responsibility of securing the business falls with IT alone.
In the wake of high-profile cyber-attacks, boards must become more actively involved in cyber-security strategy. Even though boards do react when a breach does occur, they still fall behind when it comes to developing and deploying proactive security strategies, and their response remains reactive, rather than prescriptive. This means that preventative measures can fall by the way-side. For example, 77% of boards demand to know what happened after a security incident occurs, and 67% review or increase security budgets. However, it is not enough to simply increase security spend in the wake of a breach when the reputational and financial damage has already been accrued.
It is clear that organisations are failing to understand that security is the responsibility of every employee. It only takes one employee at any level to fall for a phishing scam or to click on a malicious link for a business to be brought to its knees by a cyber-attack. The problem is only getting worse, as the prevalence of social engineering attacks continues to rise steadily.
In this current climate, getting the attention of the board is imperative to ensure that a security -culture shift takes place in conjunction with the adoption of new technologies.
Here are a few ways that IT professionals can ensure that they are speaking the language of the board.
- When communicating cyber-risks to the C-suite, it’s important to connect these risks with real-world examples of large-scale breaches. Yahoo, Wonga, Three and Tesco Bank can provide examples of how a breach doesn’t just mean the theft of sensitive data. Ranging from tumbling stock prices and devaluation, protracted litigation and executive resignations, the effects of a breach can be devastating for businesses. Not to mention the threat of being fined, once GDPR comes into effect this year.
- By using business terminology that can be understood by all employees and ensuring that you have a comprehensive education programme in place, employees will begin to understand that everyone, from interns to managers is responsible for security in the workplace.
- 77% of IT professionals believe that the transition to the cloud is a key priority for the board and half of all businesses surveyed are already planning investment in cloud security over the next 12 months. The adoption of new technologies represents an opportunity for IT professionals to put security at the heart of there deployment. This should lead security to be viewed as more of a strategic business issue, which is part of an organisation’s broader risk strategy, rather than simply as an IT issue.