Cyber security: it is not an IT department, it is an attitude

Cyber security is the number one priority for every organisation today, irrespective of size or sector. Daily cyber breaches of varied scales demonstrate the pertinent risk cyber attackers pose to corporate structures, from individual opportunistic hackers, to professional organised groups of cyber criminals with advanced strategies for systematically stealing intellectual property, disrupting business continuity, and undermining business resilience. Therefore, the management of every organisation is faced with the recurring task of ensuring that their organisation understands the inherent cyber risks, and sets their priorities straight.

Contrary to common perception, cyber security is not exclusively about IT. Certainly, technology plays a vital role in the structuring of effective cyber defence platforms, but technology alone does not provide the solution to these issues.

Cyber security is a risk, and as such requires risk management processes and procedures to be put in place on multiple management levels. It is then the Executives’ responsibilities to take control of allocating the requisite resources to deal with cyber security, actively manage governance and decision-making, and maintain an informed organisational culture where everyone understands the potentially disastrous consequences of a phishing attack, for instance.

The good news is that cyber-crime risks can be identified, assessed, controlled, and reviewed. Your organisation may not be able to achieve absolute security, but by treating cyber security as ‘business as usual’, rather than an exception, and balancing between risks, costs, and benefits, your organisation will be in a position to be actively prepared when the time comes.

Mitigating cyber risks

Effective mitigation of cyber risks requires enhancing capabilities in three key areas, namely prevention, detection, and response.

1. Prevention is about installing the requisite technical platforms within the organisation, including placing responsibilities and creating accountability for dealing with cyber-crime within the organisation, as well as developing awareness and training the staff. Education is a fundamental aspect of cyber risk mitigation, as the carelessness or ignorance of employees is regarded as the highest vulnerability, according to the Ernst & Young Global Information Security Survey 2015.

2. Detection refers to the continuous monitoring and data mining to identify unusual patterns of data traffic, and to observe the overall system performance. Through the continuous and systematic monitoring of critical events and incidents, the organisation can strengthen its detection methods considerably.

3. Response involves an adequate and well-rehearsed plan of action once an attack takes place. It also embodies the idea of ‘learning from experience’ for future similar incidents.

Common cyber security mistakes

There are numerous misconceptions about cyber security that lead to the same mistakes being repeated over and over again. The three most common mistakes are as follows:

1. One can achieve 100% protection against cyber-crime. This is one of the most common cyber security myths. There is no ‘perfect’ Once you understand that security is effectively an illusion and that cyber security is ‘business as usual’, you will also understand that the emphasis should not be placed on the end itself, but on the means of achieving cyber maturity: prevention, detection, and response.

2. Effective cyber security is exclusively placed on technology. Good cyber security starts with developing robust active cyber defence capabilities. However, the human factor remains the weakest link. Social engineering, through the medium of social media or phishing scams, remains the main risk that organisations face today.

3. Our technology needs to be better than those of the hackers. The war on cyber-crime, just like the war on drugs or terror, is an unwinnable race. While it is important to keep up to date with the sophisticated methods that the attackers use, it is equally important to adopt a flexible, proactive, and strategic approach to cyber security.

Tailoring is the key to cyber maturity

Ad hoc approaches to cyber security create fragmented structures and responsibilities.  Organisations need to develop an enterprise-based solution to cyber security reflecting their accepted risk appetite.

They should establish a tailored defence posture, which is to be based on understanding the threat relative to the organisational vulnerability, establishing mechanisms to detect an imminent threat, and establishing a capability to engage in immediate incidence responses to minimise risk.

KCS Group has a long-standing tradition in providing comprehensive cyber risk mitigation support for corporate structures of any size. The company’s layered cyber defence products and services enshrine the three key capabilities of prevention, detection, and response. For more information, visit the website: www.kcsgroup.com