Maksim Kabakou - Fotolia
In our digital era, organisations are becoming increasingly vulnerable to attack, with new points of entry opening up from email to cloud environments, from mobility to applications, from the payment gateway to the datacentre, and many more. In fact, with technology becoming so crucial to how we do business, every business is becoming a “digital business”.
Of course, some business models are based solely on digital technologies – think apps such as Uber and Spotify. But many businesses traditionally based on tangible goods have also been disrupted by a digital business model – retail, print media and music, for example.
Although digitally enabled businesses certainly have an increased attack surface, the key principles of cyber security best practice will always remain the same. Whatever the type of business, it is a fundamental requirement to have a plan in place that takes into account all the emerging technologies we are seeing, from cloud to increased mobility, big data and the internet of things (IoT).
It is also critical that organisations, no matter the size or industry, comprehend where data, which is instrumental for the day-to-day activities of a company, lives and, consequently, how it should be protected.
Beyond the technical processes and procedures, security professionals should also be familiar with the latest legislation and regulations that companies have to abide by, with a clear understanding of the various governance frameworks, including Isaca’s COBIT 5.
It is, of course, a cliché that those in the IT industry have poor people skills, but while their technical expertise might be second to none, how well are key cyber security messages being communicated throughout the business? It is imperative that security professionals can communicate effectively with employees and business stakeholders at all levels. This is especially important in digital businesses, where there may be a higher number of vulnerabilities.
Employees on the front line who might be vulnerable to social engineering must be educated about the latest potential threats, and how to avoid or mitigate them. While the advice is largely “don’t open attachments” or “don’t click on links” in unsolicited emails, the message is still not getting through, with phishing and even whaling attacks continuing to rise.
Read more about how infosec pros can communicate cyber risk
- Security Think Tank: Cyber risk – Overlooked? Ignored? Under-appreciated?
- Security Think Tank: Managing cyber risk requires genuine understanding
- Security Think Tank: Cyber security is everyone’s responsibility
- Security Think Tank: Cyber security must be recognised as a fundamental component of business
- Security Think Tank: Cyber risk not just an IT issue
- Security Think Tank: How to make cyber risk easier for business to understand
Communication skills are starting to feature more often on security course curriculums, but the issue is wider than that. Many organisations have no education or communications related to security in place. Isaca’s 2016 Cyber Security Perceptions research has found that more than half of UK office workers say their employers have provided no cyber security awareness training and more than one-third said they could not confidently define a phishing attack.
Cyber security also needs to be a board-level issue, with many calling for CEO pay to be linked to the success of a business’ cyber security measures. These issues are linked to every level of an organisation’s operations and, as such, clear communication is needed with the boardroom – right to the very top.
Businesses are starting to understand the vulnerabilities that digital technologies are opening them up to, and they are looking to security professionals to advise them. But their advice will only be heeded if it is clearly understood.
Ramsés Gallego is past international vice-president of the Isaca board of directors and strategist and evangelist in the office of the CTO at Symantec.