Cybersecurity: the buck stops with the boardroom
Last week IDEALondon was hosting the Cyber Literacy for the Boardroom event.
Organised by Women on Boards, the session aimed to arm board members with the knowledge to ask the right questions on cybersecurity.
Cisco CTO Alison Vincent was onstage to lead the discussion, and the point underpinning everything she said was this:
Protecting people’s data is important, and ultimately it’s the board’s responsibility.
Before I go on, I want to share the video Alison played at the event. It perfectly illustrates why this issue should be right at the top of the boardroom agenda…
With all this in mind, here’s what Alison had to say…
Better connectivity means greater risk
We’re still on track for 50 billion ‘things’ to be connected by 2020. The amount of useful knowledge we can glean from all that data is undeniably valuable. But with that comes a much greater surface area for attack.
Alison referred to her own home setup to illustrate this point.
“I can control my heating from my phone, I have a motion sensor on my front door, I can use Alexa to open my front gate by voice command or add items to my shopping list while stirring the dinner.”
Great news for those who love tech and convenience, but as Alison put it: “In terms of security, the number of potential access points for hackers has increased.”
You can apply that same principle to commercial buildings. With an increasing number of companies turning to ‘smart’ offices, cyber attackers have more opportunities to break in than ever. And yet in the UK, cybersecurity is still mostly seen as just “an IT issue”. From our most recent Annual Cybersecurity Report, the majority of our survey respondents told us that line of business managers were not engaged with security.
This is a real issue, because it often means that security often gets “bolted on” rather than embedded in a company’s ecosystem. That can often lead to gaps in your infrastructure, which hackers thrive in working their way through. It also means your innovation often gets stifled because you aren’t as secure as you should be.
When something is stopping a company from growing, there should be no doubt about whether it’s a boardroom issue or not.
Keeping up with evolving threats
The traditional way of dealing with cybersecurity threats was to put up a firewall – keep the bad stuff on the outside so everything on the inside is safe.
Those days are well and truly over, as Alison explained.
“When you have devices like mobile phones and tablets being used inside your organisation,” she said, “it’s no longer enough to protect the perimeter.”
In fact, the concept of ‘the perimeter’ doesn’t even exist anymore. 25% of corporate traffic completely bypasses the corporate firewall. At the same time, 27% of connected third-party cloud applications (used on multiple devices) introduced by employees in 2016 posed a high security risk, according to our Cybersecurity Report.
Most companies are not aware of every single device being used on their network – often because it’s simply impossible to keep track. And malware via social media is on the rise.
But the rate and scale of attack is evolving too. 60% of stolen data is taken within just hours of the initial attack, while there’s been a significant increase in companies reporting losses work $10 million or more in the last three years.
And complexity is on the rise – the average company’s network is managed by 89 different vendors every week. Hackers thrive in complex systems. They make their business from finding the cracks and gaps, pursuing the weak links in our systems so that they can steal valuable data and profit.
With everything becoming more complicated and the security stakes increasing all the time, Alison highlighted another huge problem: a lack of highly skilled security staff to help combat it all.
But all is not lost, she argued, putting forward a number of questions you can ask your board to ensure your company – start-up or otherwise – is best-placed to fight the threats.
Questions to ask the board
The first question is: “What is the one single event that will impact your business the most?”
This one is particularly important, Alison argued, because no organisation can possibly hope to protect themselves against every single threat.
Instead, you should work out what the most damaging attack would be and focus your resources on defending against that first.
Next, you should ask: “What’s your strategy for patching vulnerabilities and how can you measure the effectiveness of that strategy?”
One of the biggest problems in cybersecurity, Alison argued, is a lack of visibility – even in the face of known threats. 16% of organisations had yet to address vulnerabilities discovered in 2009, according to our latest Annual Cybersecurity Report.
Another potential question: “Have we reviewed our supply chain for anything that might compromise our security?”
Alison highlighted the Target hack in the US, where attackers are believed to have broken into the network via the air conditioning.
She also stressed the importance of reviewing any risks within your business that could potentially harm those you’re supplying.
Finally: “Can you confirm all employees have cybersecurity training at least once a year?”
The fact is, Alison said, all companies will be hacked at some point. It’s no longer a case of if, but when. Educating staff is critical for minimising frequency and damage, and everyone including the board needs to a have a crystal clear idea of how to respond.
UK companies should focus on improving visibility, and simplifying their architecture. This will help us innovate more, and worry less.
Getting to a point where they only need to see a cyber threat once, before instantly defending against it everywhere on their networks, has to be the goal.
So there you have it: an overview of the state of cybersecurity and a few questions to arm yourself with at your next board meeting.
As a closing thought, Alison had these words of advice:
“C-suite winners are the ones who have a balanced view of cybersecurity.”