The C-suite: Increasing risk, one broken rule at a time?
March 28, 2018
By Bogdan Botezatu, Senior e-Threat Analyst at Bitdefender
The people charged with running an organisation may well be the most likely to expose it to a damaging cyber attack, according to infosec executives. A not-insignificant 41 percent of CISOs, CSOs and CIOs believe their direct C-Suite colleagues to be the most infosec averse, out of any other business demographic. This paints a worrying picture at the top of UK organisations given the current security landscape, which has seen enterprises and small businesses alike being very publicly brought to their knees through devastating ransomware attacks such as WannaCry and GoldenEye/NotPetya in the last year.
Associated reputational and financial fallout of a large-scale data breach were deemed the most undesirable by surveyed infosec executives, with 42 percent most concerned about a loss of customer/stakeholder trust, and 26 percent worried about the company being fined by a supervisory authority, such as the Information Commissioner’s Office (ICO). These findings and more have been recently revealed in Bitdefender’s Small Gains, Big Wins Study. It explores, in detail, the pressures faced by CISOs, Chief Security Officers (CSOs) and Chief Information Officers (CIOs) and their attitudes to risk, speed and strategy when it comes to information security. The study takes into account the views and opinions of 250 CISOs, CSOs and CIOs in UK-based organisations of 500 or more employees.
Facing a growing and increasingly complex threat landscape, infosec executives have had to take stock, and identify where the risks in their respective organisations’ lie. It turns out the C-Suite isn’t just a risk in isolation. Three quarters of infosec executives (75 percent) deemed that management, from the board level down to junior department heads, were the most likely to flaunt data security rules. This is in sharp contrast to just one in four (25 percent) who thought day-to-day knowledge workers were likely the most infosec averse.
From a departmental perspective, those which are more likely to handle sensitive information were deemed at greater risk of a data breach. 23 percent of infosec executives cited Finance as the most vulnerable department, followed by Sales with 17 percent of the vote.
The research found that nearly two thirds (65 percent) of CISOs are losing sleep at night about information security threats, but their direct C-Suite colleagues are the biggest culprits when it comes to bending the rules. What’s clear is that the modern-day CISO, CSO and CIO need to be far tougher at conveying the real life repercussions of poor information security practices, from the board level downwards.
To overcome the challenges, and pace of cyber security changes, infosec executives are taking a serious look at which small easy to implement, information security changes will have the most positive effect on risk response. Many of these small changes centered on speed, as the swift identification and mitigation of cyber threats could end up being invaluable to an organisation, potentially saving it from disaster.
Areas of the security stack where speed was deemed either critically, or very, important by infosec executives was centred around endpoint security, detection and response (75 percent), closely followed by anti-exploit/memory protection (74 percent). In order to gain sometimes substantial increases in speed, many infosec executives are turning to vendors who can offer security solutions built on a constantly updateable cloud architecture. Best-in-class solutions such as these provide infosec executives with peace of mind, knowing the impact of new malware variants is significantly, if not entirely mitigated in a quick and effective way.
These infosec tools can serve as a vital layer of defence whilst infosec teams rush to patch software in the event of a global exploit being discovered, such as EternalBlue — which WannaCry was built to take advantage of. Just over half of infosec executives seem confident their organisation could patch corporate devices against a discovered vulnerability within 24 hours (51 percent), however, that still leaves 49 percent who would take 25 hours and upward — which is why adequate endpoint security is so vital.
One specific, and reoccuring, example of a small change infosec executives have enacted has been to increase end-user awareness to the variety of different threats and attack vectors which are currently being exploited by cyber criminals. Examples given by CISOs in the qualitative section of the study, range from regular training programmes teaching employees what to look out for, right through to a more ‘shock tactics’ approach, where IT conducts mock-phishing and social engineering attacks on employees to reinforce the consequences of infosec negligence.
Information security is certainly an ever-evolving and changing process, with advancements in technology not only increasing the threat landscape, but also the protective tools available. A balanced approach to data security, encompassing not only best-in-class infosec solutions, but also surrounding yourself with the right security response team is key for effectively mitigating threats.
Reassuringly, people in the positions of CISO, CSO and CIO are now far more likely to have a seat at the boardroom table due to recent global attacks thrusting cybersecurity into the limelight. Moving forward they will start to become more responsible for fundamental business and process changes to ensure business continuity, whatever internal or external threats are thrown at organisations.