lolloj - Fotolia

Cyber threats relatively unknown outside IT, says expert

In many businesses, few non-IT people have heard of even big information security threats, according to a security industry veteran

Few business people outside IT departments have any knowledge of current information security threats, according to BH Consulting founder and chief executive Brian Honan.

“In many businesses, few non-IT people have heard of even big information security threats, such as the Heartbleed vulnerability or attacks like the one on Sony Pictures,” he told Computer Weekly.

This lack of familiarity of the continually changing threats to information security is one of the biggest challenges to raising the cyber literacy and security awareness of non-technical executives, said Honan.

“To many people in the business side of things, cyber security is something that is in the background, or something they pay attention to only for regulatory compliance reasons,” he said.

Despite the growing importance of information security to business, added Honan, there is still not a good understanding of the issues by the business.

“Information security professionals struggle to engage the business on the topic because they tend to focus only on the technical aspects using terms and concepts unknown outside IT,” he said.

“This makes information security a mysterious part of the organisation that is associated with telling people in the business that they cannot do things because of security.”

Consequently, information security professionals tend to be viewed in a negative way by the business, presenting further challenges to improving awareness and understanding of security issues.

Read more about information security and business

“Information security professionals need to communicate better with the business in a way that is not too technical or difficult to understand,” said Honan.

One approach to this long-standing problem, he said, is to translate security topics into business terms and metrics so that non-technical executives can see value and benefit in security.

“For example, instead of talking about the number of spam email messages a filtering system is capable of blocking, we need to express that as time and cost savings,” said Honan.

Information security professionals should also talk to the business more in terms of business risk, he said, because that is a more familiar and meaningful concept.

“For example, when talking about things like bring your own device, we should not say ‘you can’t do that’ but instead say ‘yes you can do that, and the business risks are as follows’,” said Honan.

Then as a follow up, he added, information security professionals can tell the business what security investments need to be made to mitigate that risk or manage it down to an acceptable level.

Meaningful metrics

Honan believes that information security professionals should ensure they are continually providing meaningful metrics to the business to ensure that security is constantly on the radar of executives.

“These metrics can include things like the proportion of staff that have completed security awareness training, the proportion of mobile devices that are encrypted, the number of security incidents, the mean time to resolving security incidents, and how these metrics are trending over time,” he said.

However, Honan warned that metrics in isolation may not provide any great insights into how well a security programme is working. “You have to tie them in to other metrics and things that might be having an influence on the business, such as a planned acquisition or product launch,” he said.

According to Honan, the ISO 27001 information security standard provides a useful way of understanding potential deliberate and inadvertent risks to information security in a business.

“The standard has been useful in helping to engage the business, but it is key as an information security professional to understand the business you are dealing with,” he said.

“One industry sector is not necessarily concerned about the same types of risk as another, which means that when talking to a business, it is important to understand what risks it cares about.”

Understanding the business better makes it easier to communicate the impact of particular security threats in a much more relevant and effective way, said Honan.

It is also useful to talk to managers to find what they are struggling with from a security point of view, he said. For example, sales teams may be finding security too cumbersome for accessing systems remotely.

“When people find security too difficult, they try to go around by copying data onto USB sticks or private cloud storage, which has huge risk implications for the business,” said Honan.

In one organisation where he encountered this problem, Honan said he worked with the sales manager to propose an enterprise cloud-based customer relationship management system.

“A similar proposal for a cloud-based email service was also adopted and rolled out to the whole business because it was secure, easier and less expensive,” said Honan.

“This is an example of a project driven in partnership with a business unit with security seen as an enabler rather than an inhibitor.”

All orgnisations are targets

According to Honan, another useful way for information security professionals to engage with the board and c-level executives is to demonstrate how cyber criminals are attacking every business size and type.

“Many organisations believe that cyber attackers are interested only in banks or payments processing companies, but they need to understand that all organisations are now targets,” he said.

“Businesses need to understand that criminals are not only after financial data, they are also seeking personal data of employees and customers, and to hijack IT infrastructure for criminal use."

Honan said most organisations are not aware that cyber criminals could hijack their IT systems as part of criminal botnet infrastructures for things like distributed denial-of-service attacks.

Boards may also need to be made aware that because of all the personal data their company holds, they have personal legal obligations for ensuring it is protected adequately.

“Information security professionals can help board members to understand their obligations form a regulatory compliance, governance and even ethical and moral point of view,” said Honan. 

He believes that information security professionals should be proactive about engaging with the business and demonstrating the potential value of security to achieving long-term business goals.

“By taking the initiative and engaging the business regularly and consistently, executives will quickly learn what is important to them and what questions they should be asking,” said Honan.

Honan is taking part in a panel discussion entitled Dear executives, parlez-vous security? at Infosecurity Europe 2015 from 2-4 June 2015 in London. 

Read more on Hackers and cybercrime prevention