It was around halfway through 2015 when a group of cyber-attackers who called themselves “The Impact Team” stole the data of 37 million users of controversial dating site Ashley Madison, and published the details online.
Such details included people’s email addresses, dates of birth and their credit card transactions. As a stand-alone event this is fascinating, great for small talk in the office, but it’s unlikely to strike fear into the hearts of senior professionals in organizations. However, the Ashley Madison breach was not the only cyber-attack to take a dramatic toll on an organization last year.
The VTech cyber-attack saw the personal details of 6.3 million children being leaked, those behind the Experian cyber-attack stole the records of 15 million customers, and this is to name just a few. Suddenly it’s become clear that organizations have every reason to fear for the security of their data and welfare of their customers.
We have a pressing problem with cyber-attacks which needs to be addressed. But how can we be sure the actions organizations are taking to tackle this problem are effective?
I teach and conduct research in the field of online security at Nyenrode Business Universiteit, focusing on topics such as fraud prevention, integrity issues, and public-private collaborations in the security industry. I’m also a member of the Netherlands Intelligence Study Association (NISA).
Using this experience, I pinpointed four key developments in cyber security, as a result of the cyber-attacks in 2015, which an organization would need to harness in order to tackle the challenges posed by last year’s crisis for 2016 and beyond.
Increase cyber security spending
Understanding and managing cyber security risks is certainly a significant priority for leaders both in businesses and governments for 2016, and the first step for organizations is to assess how much they invest in cyber defences and question “Is this really enough?”
Organizations are beginning to take action – PWC recently used the insights from The Global State of Information Security survey to reveal that 24 percent of respondents boosted their information security budgets, and 69 percent of companies incorporated cloud-based cyber security into their strategic initiatives during 2015.
It’s a good start, but simply increasing budgets does not go far enough.
Taking responsibility in the boardroom
It is important to acknowledge that cyber-attacks are beyond an organization’s control, but what can be controlled is how an organization chooses to respond.
This is why there should be an increase in the number of Chief Information Officers (CIOs) and even Chief Information Security Officers on corporate boards, to help ensure appropriate actions can be taken.
In the previous decade, we’ve seen an increase in the number of Chief Financial Officers serving on corporate boards as a direct response to the global financial crisis.
Developing comprehensive cyber security plans requires a similar culture at boardroom level, developing an awareness of the importance of security that extends from the C-suite to the professionals in each function since breaches can occur at any level and in any department.
It’s important for management to communicate their support in complying with new cyber security policies if they are to strengthen the resilience their employees have in responding to potential cyber incidents.
We need to clarify the responsibilities of external security providers and organizations.
In the wake of the VTech cyber-attack, the company was widely criticised by the media for their poor security and lack of encryption. But who was to blame really?
It could have been down to the internal IT staff, but there’s also the possibility that an external provider’s product failed to be effective.
If greater transparency and responsibility are to be encouraged between companies, external providers and customers, we need to gain an understanding of the ongoing interweaving that takes place between the public and private domain.
For organizations to understand where breaches typically occur and how to best protect against them, they must ask themselves two relevant questions: Who is doing what for whom and who can we hold accountable in the event of a breach?
Employees need formal training for cyber-attacks
Aside from encryptions and firewalls, a company’s first line of defence is its staff – yet there’s a lack of formal education within organizations, despite regular security decisions they make, such as: “Should I click on this potentially shady link?” or “Should I enter my password on this form?”
Knowledge typically comes from incidental and informal learning, such as news articles or the experiences of friends and family, rather than from management. The media’s focus is on who conducts the attacks, whereas expert information focuses instead on how attacks are conducted.
These differences prevent staff from understanding how persistent more mundane threats like viruses or phishing are, and how to protect against them.
Organizations need to encourage employees to be consistently alert and should take steps to educate them on cyber security, in an informal but efficient way.
In teaching employees to recognize when and how these threats occur, business leaders are taking the steps to clarify the responsibilities of dealing with cyber threats accordingly. In addition, they can easily identify the areas of security that need to be discussed at boardroom level.
This will vary according to the organization but, by having this system in place, we’ll finally be ahead in the cyber war.