Cyber security should now be embedded in every company’s operational framework. We know that breaches are common and can have significant downsides – so how do businesses manage the threat of attack, create an environment where processes are not only put in place but adhered to and the threat is mitigated. Everyone thinks it won’t happen to them, until it does!
This can be down to several different factors like optimism bias (thinking “it won’t happen to me”), organisational culture (where security optimisation is deprioritised) and not changing systems to better fit the phase of the business as it outgrows third party service providers. What can be done to counterbalance these barriers to building a more secure business?
Optimism bias
There are, no doubt, many of us who go through life thinking that the worst things happen to other people. In fact, optimism bias is a stunningly effective survival technique which has driven human beings across the globe in search of new opportunities. Though, however effective a positive disposition may be at points, when it comes to cyber security, the best policy is to think that someone, somewhere, at some point, will use an ever-changing landscape of malicious technology to compromise your business. In the worst cases, cyber-attacks can put you out of business overnight.
Cyber security and a culture clash
We recently spoke with a COO and cyber security expert about a phishing attack that their company went through. Whilst every business is different, in this case, there were simple things happening at the founder level of the business that could have been avoided to ensure that the business was more secure. The right processes were in place, but they weren’t being implemented at the top of the organisation.
The risk of a start-up mentality
As the business was growing, certain ways of working were becoming riskier. In the start-up phase of the business, everything was done on a shoestring, which is normal, and the lines between personal and work life, for those running the company, were blurred. Quite often in a start-up, clients are your friends, and work is very much your life. As such, the founder had one laptop for everything, which meant that when the hacker phished via a personal account, they were immediately able to get into the business information stored on the founder’s laptop and elsewhere in the cloud.
The risk of creating exceptions
If you’re in a senior position, it’s likely that you have developed certain comfortable ways of working that you don’t want to change. Digital natives adopt new technologies like changing a pair of socks, but some of us do not. This behaviour sets your business up for failure, when legacy systems aren’t fit for purpose or you train up your workforce to follow security protocols but create an exception for yourself.
Dealing with out-of-date systems
The most common cyber threats are relatively unsophisticated. In our example, the company was unlucky in terms of the timing of the attack: they were near completion of a legacy system upgrade. But they were much luckier in other ways as the hackers, whilst they had access to whole sets of business data, didn’t use them.
The risk of the “ostrich effect”, complacency and deprioritising security
The COO still had to work to convince the founder that something catastrophic could have happened because nothing catastrophic actually did happen. If the focus is just on making profits, burying your head in the sand and not keeping the business secure, then it’s far more likely that a major incident could occur and all profits would be wiped out. According to our expert, once you are exposed in an attack, information about your company is shared on the dark web so that other hackers can retarget you in the future.
Dealing with the fallout
Whilst not catastrophic, the process of dealing with the breach brought significant costs to the company with a lengthy two-and-a-half-month investigation and, in the initial stages, round-the-clock working to rectify the situation. The company exists in a heavily regulated industry and they had cyber insurance which meant that they were required to follow certain procedures by law and under conditions of their contract with their insurers.
The COO engaged with forensic cyber investigators to establish where, when and how the breach took place and had to strike a balance of making the best possible decisions with ever-changing information as the situation evolved.
A top-level communication plan
Good internal and external communication is vital. First, there’s a duty of care to your clients, especially your most vulnerable ones. The client facing team needs to be involved when communicating to clients, and regular updates are needed for all internal teams as the parameters expand and shift and new information comes to light.
So, what are the bare minimum requirements for protecting my business?
- Training with no exceptions, including establishing agreed processes for phishing emails:
- The training should include simulated attacks with targeted additional training for anyone who fails to identify that it is a threat
- The no exceptions policy should ensure that no-one at the firm, no matter their position or seniority, are granted exceptions that could cause the company to be vulnerable to attacks
- Establish protocols for identifying phishing emails, blocking domains and internal communications
- A solid communication plan with protocols that go beyond legal requirements
- The use of forensic cyber investigators and insurers
- Using up-to-date malware protection
- Restricting admin rights and locking down hardware, software and web-based applications that allow data and file sharing
- Network firewalls
As we look to the future, the combination of AI and phishing technology will mean that it’s even easier to get tricked. While companies will all be at different stages of managing the threat of cyber security it’s crucial to make sure you get more than the bare minimum protections in place so that your business can survive.
At The Siena Partnership, we provide independent consulting to, and recruit for, CxOs in the domain of cyber security. If this has prompted you to consider your approach and the support you need, please get in touch.
Barney Machen
Director, Technology Transformation
barney@thesienapartnership.com