According to many surveys, cybersecurity is now reaching the top of the list of concerns for boards of directors and executives, and this might be due to a recent change in behaviour.
From cyber vandals to cyber criminals
Previously, most cyber-attacks against corporations originated from hacktivists with the intent to compromise the operations of an organization by taking down its systems. This behaviour has been described as “cyber vandalism” as the attack isn’t guided by financial gain, but purely to destabilize the company and demonstrate a hacker group’s skills and strengths. As a result, this threat was mostly dealt with by the IT department as it was deemed only relevant to information systems.
Nevertheless, from what I read in many recent reports coming from leading IT and information security firms, most attacks are now carried out by cybercriminals with a very different intent – to make money
And here, ingenuity seems to have been taken a step further with many different “cybercrime economical models.” Just to illustrate a few:
- Stealing customer payment information to purchase goods
- Reselling customer confidential information to another party
- Blackmailing a company when finding a vulnerability
- Blocking systems until a ransom is paid
- And so on
Cybersecurity should be included in your enterprise risk register
This is where I think cybersecurity leaps out from being a pure IT consideration. Now it not only endangers the regular business operations, it also poses a financial and legal, regulatory, and reputational risk. This is why I believe the board of directors and executives are now seeing this risk popping up on their radar and rightly so.
Unfortunately, one of the recurring issues is that it’s often only reported by IT and when taking just this specialist lens, it would seem that applying an IT response would suffice.
I‘m no cybersecurity expert but to be to be successful, and assuming no internal participation, a cybercriminal would need:
- Access to the appropriate environment and system
- a first level of response would be to prohibit any connexion that has not been verified as a trustworthy user
- Access the appropriate confidential information
- a second level of response would be to ensure that connected users only have sufficient privileges to access their own confidential data, and no other, unless previously authorized to do so.
Keeping in mind that these are high level illustrations, this could take care of the drivers and should therefore mitigate the risk. But what if it still happens because a vulnerability has gone unnoticed?
That’s why, to my mind, it is important to have cybersecurity included in your enterprise risk register, so that all impacts are correctly identified by the relevant experts and appropriate mitigation strategies are defined for all of them.
Don’t just monitor the drivers, tackle the impacts
As much as compliance won’t be able to define the IT controls that would prevent such attacks, the IT department won’t be able to assess the impact of non-compliances that could result from it – it will have to be a joint effort between those two lines of defense.
No one department is expert in all domains and that’s why I always advise to involve stakeholders from different business areas. For cybersecurity, I think this is even more relevant.
Leverage the deep, technical knowledge of your IT department to identify and monitor all vulnerabilities but prepare for the worst with your other business and compliance departments to document and define response strategies for all the impacts, not only the operational ones. Should the risk manifest itself, you will be ready to take it on!
What about you — how is your cyber defense organized? Are different departments involved?
For more insight on cybersecurity, see Waging War Of Cyber Attacks: Governments Do, Some Firms Don’t.
I look forward to reading your thoughts and comments either to this blog or on Twitter (@TFrenehard)!