Cybersecurity is one of those topics that likely divides opinion. For the dedicated professionals charged with protecting data and the network infrastructure across which it travels, cybersecurity is vitally important. For the majority of the rest, it’s something they are remarkably apathetic about.
It’s possible that this apathy stems from ignorance – a lack of awareness of the implications of a breach of cybersecurity. However, it may also be a case of “not my problem”. If it’s the second, then there needs to be a degree of re-education. Come to think of it, the same goes for the lack of awareness.
It’s not overstating things to say cybersecurity is everyone’s responsibility. Beyond those whose ‘job’ it is to protect data and networks against unauthorised access, everyone who has access to critical data, applications and infrastructure has a duty to demonstrate good cybersecurity practice. This includes everything from using strong passwords and thinking twice before clicking on email attachments to not using public apps to exchange sensitive information and not leaving your laptop on the train!
At a C-suite level, stakeholders need to get rid of the mindset that cybersecurity is ‘an IT issue’. In the event of a successful cyberattack, it won’t just be the IT security team that feels the impact. One only need look at the widespread chaos caused by the recent SolarWinds incident to see why.
There is more than one potentially hazardous pandemic sweeping the business world. Apathy can be dangerously contagious. If employees and board members alike aren’t concerned about cybersecurity, how do you motivate those charged with deploying and managing cybersecurity systems? In a recent McKinsey report, a quarter of cybersecurity professionals felt they were viewed with indifference and seen as a barrier to productivity. If cybersecurity professionals are undervalued, and their work underappreciated, what’s to stop them from succumbing to the same apathy?
Cybersecurity best practice
Given the almost daily headlines about cybersecurity incidents it’s difficult to believe stakeholders remain unaware of the impact of a breach. Ignorance cannot be a defence. Why then, are organisations so apathetic about the known risks? Is it because, for many, they believe the cure would be worse than the disease? By worse, of course, we mean costly.
Historically, encryption technologies were perceived as being too expensive or adding too much overhead to a system – both myths that have been comprehensively disproved for two decades. However, it’s not clear if the message has filtered through all levels of the enterprise. In a recent Thales survey, 85% of respondents said they understood separation of duties played an important role in network data security, but only 23% use dedicated encryption solutions to secure their data moving across high-speed networks.
Under modern data protection regulations, an emphasis is placed on transparency. For example, under the EU’s GDPR, organisations are obliged to notify regulatory bodies of a breach, along with those potentially impacted by the breach. If a breach occurs and the data is encrypted, it doesn’t automatically qualify for public notification.
The former Gemalto Breach Level Index showed that of the 14 million records lost or stolen every day, just 4% were encrypted. Statista analysis shows that, as of FY2019, encryption was deployed extensively across just 43% of enterprise infrastructure. The discrepancy between 4% and 43% could be explained further by the use of encryption. Cyber criminals don’t want to have to work hard for their money, so they are much more likely to target victims that do not use encryption.
This begs the question why (if you know it provides additional security, disqualifies the breach from automatic public notification and dissuades cybercriminals from targeting the organisation) are you not deploying high assurance encryption enterprise-wide?
If you know you should do something, but don’t, this is moving away from apathy towards negligence. The corporate lawyers would have little problem proving a weakness was known but not addressed. If negligence is proved, the implications of a breach go beyond corporate penalties to individual criminal prosecutions. Perhaps a few more executives and company directors appearing in courtrooms is what it will take to shake off the apathy and start focussing on security.