rost9 -

A carrot-and-stick approach to fixing cyber security complacency

With a majority of IT decision-makers holding the opinion that their employers are complacent when it comes to data protection, we look at what needs to be fixed, and how to fix it

Almost two-thirds of IT security decision-makers across UK companies believe their organisations are complacent about data protection.

A Kaspersky study conducted at the start of the year revealed that although most are aware of the danger that exists and even the potential implications of a serious breach, many remain in a state of panic or disillusion about how to arm themselves adequately.

“Just imagine it’s exam time at school, and you’ve been urged to read through the entire paper first and to plan properly for the test that’s in front of you,” says David Emm, principal security researcher at Kaspersky. “But then everyone around you starts writing furiously.

“You don’t know if what they’re doing is right, but you feel pressured into ditching your careful planning strategy for fear of falling behind.

“That’s what we believe is happening in the UK when it comes to cyber security. Companies aren’t complacent about the idea of taking the test, but when there is such an urgency and pressure around protecting valuable data, companies are rushing into quick-fix, knee-jerk responses, rather than considered action.”

Tesco. The NHS. Cathay Pacific. Maersk. There are high-profile examples of significant data breaches in nearly all realms, and it was this that triggered Kaspersky’s “testing of the waters” to see what the general feeling in the UK was in view of this clear and present danger.

Sampling different-sized companies across all sectors, the global security solutions provider soon noticed through the survey that “complacency” was a multi-layered and complex feeling among enterprises.

Emm says: “Among SMEs [small and medium-sized enterprises] especially, there is often a feeling of ‘why would we be attacked?’. They can understand TalkTalk or Cathay Pacific being targeted, but as a producer of widgets or as just a seemingly insignificant link in a bigger value chain, many are complacent about their vulnerability.

“In a lot of cases, companies aren’t even doing the bare minimum of protecting passwords, which is really inexcusable,” he says.

But this wasn’t the overriding consensus. Almost three-quarters of businesses agree that cyber complacency is damaging to their business, and two-thirds accept that they would lose customers if breached. Most concerningly, 61% of those surveyed actually believe they will face a cyber attack over the next two years.

There is seemingly widespread acknowledgement that the threats are out there and that the implications of breached customer data would be huge. So this begs the question: does the issue actually lie in organisations not knowing who to turn to?

Adapting the message

Talal Rajab, head of programme for cyber and national security at TechUK, attended Kaspersky’s roundtable to discuss the findings of the survey.

“What we’re seeing year on year is that awareness around cyber security is slowly increasing,” he says. “Particularly at board level, decision-makers are aware of the dangers, but they lack the knowledge around what to actually do.

“If you look at the yearly DCMS Cyber breaches survey, as many as two-thirds of organisations are likely to suffer a breach, but very few say they have instant response plans or formal training programmes in place to tackle that likelihood.”

Rajab was therefore not surprised by Kaspersky’s findings. He also agreed with Emm that both TechUK as an independent entity, and Kaspersky as a cyber security supplier, need to work in tandem to improve the situation.

At present, if it is only suppliers that organisations are hearing from, then the vested interest associated with being sold a service or product may detract from the actual security message and advice being put across.

Emm says: “The importance of keeping up appearances, and the need to outsource to cyber security providers, confuses the situation a lot of the time. That is why, just like TechUK, we are keen to adapt the message and relationship to one based on guidance and education, as much as anything else.” 

Carrot and stick

For the security message to change and be effective, organisations need to know what the real implications are, why they are not immune, and what steps they should take to meet their own particular requirements. Most importantly, they need to understand that these steps do not just appear in the shape of a digital tool – rather in the form of a complete cultural shift and change in mindset.

“This requires a carrot-and-stick approach,” says Rajab. “The regulatory landscape has changed through the advent of GDPR [General Data Protection Regulation], but through introductions like this, regulatory fatigue can also set in. It can also just force companies into rash decisions and digital investments without really understanding why they need them.”

Read more about data protection

  • A cloud-based data protection platform can make critical tasks easier on your organisation. These tips help you make the most of this valuable service.
  • While plenty of teleworking tools exist to help the increase in people working at home due to Covid-19, managing and protecting proliferating endpoint data can alter IT pros’ jobs.
  • As consumers add more connected devices to personal networks, cyber security risk is hitting close to home. Here are steps individuals can take to ensure personal data protection.

Rajab suggests alternative “carrot” approaches in the form of insurance companies offering cheaper premiums to organisations that show themselves to be intrinsically “cyber hygienic”. Similarly, tax breaks could be offered to those that prove an aim, strategy and organisational leaning is in place to protect critical data.

“This is especially the case for SMEs,” says Rajab. “Businesses need to understand that it’s not just their data that is in jeopardy – it’s the data of customers, members of the public, their staff members, business partners around them in the supply chain.”

That is why, from a governmental perspective, some of the decisions are being taken out of organisations’ hands. GDPR kick-started the process, and the UK’s impending, updated National Cyber Security Strategy will reinforce the clear instructions being conveyed.

“There is also the National Cyber Security Centre [NCSC], which the government has invested a lot into and is an excellent addition to the security landscape here in the UK,” says Rajab.

Digital and cultural transformation

So, soon, complacency won’t be an excuse. It shouldn’t really be now, in a literal sense. However, the panic that the subject of cyber security has injected into industry, compounded by the confusion over who to rely on to instil an effective response, makes organisations’ attitudes understandable for the time being.

Such effects have been seen with other digital buzzwords in recent years: big data, software as a service (SaaS), cloud platforms and artificial intelligence. These are all tech “must-haves” driving businesses, especially SMEs, into uncharted and unguided territory for fear of missing out or falling behind.

Emm explains: “Companies realise that security is one of those considerations among the melee, but fail to realise that instilling a better digital culture across their entire company will actually fix all of the above strands in one ethos.”

And this need not necessarily require a huge investment in a cyber security package, he adds. “When the cultural transformation is in place, and organisations have an actual strategy for digital optimisation and protection, they will realise that the guidance given is usually quite rudimentary.”

Emm states four approaches that can stave off 70% of all targeted cyber attacks:

  • Patch your operating system.
  • Patch your applications via technologies that can audit them for you.
  • Employ a “default, deny” approach that contains a list of what is authorised, and blocks anything else.
  • Don’t give anyone admin rights on machines automatically.

“Those four steps alone would raise the bar for most companies, but they need everyone in the organisation to adhere to them consistently and collectively,” he says.

“From there, companies should conduct regular cyber security assessments to review their policies and services; arrange regular training for IT staff to ensure there is ongoing cyber communication between executives and IT decision-makers; and then make more informed and tailored investments into endpoint security solutions that evolve in real-time reaction to the latest threats.”

Passing the test

The arrival of the EU’s GDPR has turned genuine complacency into a more curious version of unpreparedness in organisations. The onus is now on both sides to take the next step towards complete security readiness.

Rajab says: “GDPR was the stick, and we’ve discussed the carrots that could be offered too, but ultimately we need to get to a point where companies aren’t spoon-fed or hounded every step of the way, over something so vital to their operations and even survival. Awareness needs to get to a point where they, as a business, know what the dangers are, and they know how to mitigate them.  

“This needs to start at the top via C-level agility and a willingness to change, informed by IT teams, achieved via guidance from industry and government bodies such as ourselves, and carried out by virtue of vendors such as Kaspersky.”

The infrastructure to ensure this shift in attitude is there, but companies first have to decide internally to step away from complacency and towards sustainable cyber readiness and protection.

Emm adds: “Going back to the school analogy, if you outsource, it can feel like getting someone else to do your homework. You may come out of it presuming that you’ve done well, but if someone was to quiz you on the topic afterwards, you’d come unstuck.

“That’s what companies are afraid of, amid so much scrutiny from things like GDPR. They think they’ll be given a solution they don’t understand and that will cost a bit and they won’t know if they’re any better off at the end of it.

“We are therefore taking the approach to not do the work for them blindly, but to guide them, so they can pass the test themselves.”

Read more on Privacy and data protection

Data Center
Data Management