- by Stuart Reed Senior Director, Market Strategy at NTT Security
Businesses the world over are facing an unprecedented set of information security risks yet global research from NTT Security’s 2017 Risk:Value Report has revealed a glaring void in awareness of the topic among senior level management. Just over half of decision makers report that preventing a security attack is a regular item on the board agenda, suggesting that more needs to be done to get it taken seriously at a boardroom level.
Unsurprisingly data breaches are not the sole cause for concern, compliance risks, such as the looming GDPR deadline, are mounting and organisations have no alternative but to address cybersecurity and privacy not only because of the financial and reputational fall-out they face if they don’t, but the financial penalties. Many don’t even know how GDPR will affect them or even understand the implications of the new rules, the violation of which could result in fines of up to €20 million or four per cent of global annual turnover, whichever is the greater.
It is now more important than ever for businesses to adopt appropriate information security processes and technologies to protect themselves and their customers from compromise but for this to happen much of the responsibility must emanate from board level. So, what can be done to heighten awareness of information security at boardroom level?
Investing in security
Recognising that investment has a role to play is a good first step as it makes people feel protected but this could also be one of the reasons that companies are less worried about information security risk. The amount allocated from the IT and the operations budget to information security has increased since 2015 but does this growth in investment mean that they are any safer?
Driving a culture of security
Evidently not and while investment is necessary If security is to become part of a company’s culture a more holistic approach is required which must begin at the top with boardroom support. Companies seem to understand this in theory, with almost three quarters of them suggesting that preventing a security attack should be a regular item on the boardroom agenda but as we have already discovered in practice it’s a different story and cybersecurity needs more executive airtime.
This lack of visibility at the board level is trickling down into the rest of the organisation. Many companies lack any real strategy when it comes to information security. Just over half of respondents identified a formal information security policy at their company but it’s still far short of where it should be.
Even though the chances of experiencing a breach are high a formalised information security process is not commonplace with just over a quarter of companies reporting that they are part way through implementing an official information security policy and this hasn’t changed since 2015 so it doesn’t seem to be a priority.
Communication and Awareness
A security policy is no use if it’s kept hidden away and never shared; it should instead an evolving document that is regularly reviewed, updated and understood by those staff who are tasked with managing potential security situations on a daily basis. Globally out of those organisations with a formal policy eight out of ten of them said that they had actively communicated the information security policy to everyone in the organisation.
Yet the quality of the communication isn’t questioned and could be dropping a PDF le in someone’s in-box which certainly doesn’t constitute an awareness program. There is not a high enough awareness among employees of their organisation’s information policy; in our research it was just 39 per cent and that only relates to those organisations that have an information security policy in place so it’s clear there’s certainly room for improvement.
Perhaps one of the biggest challenges faced by a company hit by a security breach is how quickly it can recover. Its resilience is immediately tested and those unable to withstand could even cease operations as a result. Resilience comes down to how well a company has planned for an incident and a necessary component of a company’s cybersecurity preparedness program is an incident response plan. Communication comes into play again as a response plan will only be effective if they are read and understood. Of the companies that had or were implementing a full plan, just under half of respondents fully understood what was in it.
The research does provide some positives for the c-suite in particular the active role that it plays in executing the response plan with responsibility allocated fairly evenly at around the 20 per cent mark between the CEO, CIO, CISO, and COO. Breach preparedness certainly has more visibility at this level.
While businesses are making strides forward in cybersecurity there is still room for improvement along with an acute need to raise the topic to being a board-level issue. Senior management must drive a culture of security from the top down and with the serious regulatory repercussions that lie ahead with GDPR there is no better time to start than now.