Published on the 30/08/2018 | Written by Heather Wright
Forget the bandaids, your company needs a security culture…
What are you going to do when your company is hacked? Here’s a hint: the correct answer isn’t to yell at your IT team to fix the problem, because technology is only one part of an overall modern-day security strategy for Kiwi businesses.
That’s the message from Graeme Muller, NZ Tech CEO, ahead of the New Zealand Cyber Security Summit, which hits Wellington on October 18. Muller says as businesses face an increasing number of threats from cyberattacks, cybersecurity needs to be moved to the forefront of their digital strategy – and overall company culture – to ensure they’re operating at their peak and to protect both customers and staff. And that means security is a C-suite and board level issue, as well as a culture issue, requiring strategic risk management and governance.
“Millions of dollars are being drained out of NZ businesses every month because they don’t do some basic things.”
A recent Gartner Emerging Risks report put cloud computing as the top risk concern for businesses, well ahead of the global economy and business ethics (although Donald Trump wasn’t mentioned). Gartner notes that while cloud presents new opportunities, a number of new risks, including mandatory cybersecurity breach reporting and Europe’s GDPR compliance, make cloud solutions susceptible to unexpected security threats. The top two fast moving, high impact risks – which Gartner says have the ability to cripple a company quickly – were also information security threats: social engineering and GDPR compliance.
But the report also notes that through to 2022 at least 95 percent of cloud security failures will be the fault of the organisation, with companies needing to counter more sophisticated tactics such as social engineering.
“Data and statistics show you will be hacked and it will cost your business money, no matter how prepared you are, so as well as being prepared you also need to think this issue through in terms of what happens, when, and what processes you have in place to manage a hack,” Muller says.
He likens modern day security to having a good immune system, rather than merely putting a bandaid on a cut, or shoes on your feet to prevent cuts.
“It’s hard to keep ahead,” Muller notes of the increasing variants of ransomware and attacks. “So security becomes less about finding this magic bullet and instead a combination of people, processes and technology. We’ve been saying it for years, but it’s really important now.”
He says that requires reframing the security issue at a board level, acknowledging there is a high chance a business will be hacked, and putting in place a management plan for when it happens. “Do we have insurance in place? Do we have a comms and response plan in place? Are our backup procedures and disaster recovery robust? All of that is as important as having the things in place to stop it happening in the first place,” he says.
Muller says company culture, and the behaviours it engenders such as being alert to phishing or similar social engineering techniques are a major part of cybersecurity.
“Culture has to come from the CEO or manager deciding what they want and articulating it. Then they use people like HR, IT, finance and apply suitable policies and incentives to steer toward the culture they want,” Muller says.
“If they want to create a more resilient culture within the company then the boss needs to understand what that means. It’s always a balance between risk and getting on with business. They don’t have to be experts, but they do need to conceptually understand it – what is the risk, where is it coming from, and what are we doing to mitigate it.”
But while Muller is advocating board level involvement and an overall security culture within companies, he acknowledges many Kiwi companies still don’t fully comprehend the cybersecurity risk they face.
That’s something he puts down, in part at least, to a lack of publicity around business breaches. With a hack potentially spelling disaster for companies in terms of reputation and public confidence, most are, understandably, not willing to go public about any attacks. The security breaches most of us hear about are, instead, consumer related, or alternatively, large international companies. “It’s hard to make that connection to the implications for my business if I’m hit by ransomware and can’t operate and have to pay out money to get my files back”, Muller says.
Earlier this year the Road Transport Forum admitted it had been hit by ransomware and had to pay ‘quite a sum of money’. An unnamed transport operator was also among nine companies to log ransomware attacks with Cert in the first three months of this year.
Says Muller: “Millions of dollars are being drained out of businesses in New Zealand every month because they don’t do some basic things – two factor authentication, or a decent backup protocol, or training staff around phishing.
“They think putting in a piece of software is going to solve the problem, and even then they don’t maintain it or keep it patched.”
“It’s still amazing that even in large businesses the message isn’t getting through to the senior executive level, the board level. And that really impacts the approach and investment. And if you’re under investing, the risk is huge.”
The good news for companies who have response plans is that data shows they’re less likely to be hacked because they’ve identified their risks.
“It’s a good process to go through to assume you’re going to be hacked and work out what you’re going to do as a board and what your response will be – technical, market, financial, reporting and people responses, the whole approach.”