What can business leaders learn from a cyber security breach?
31 July 2017
As attacks against IT infrastructure are, in the main, all about money they are becoming more frequent and much more advanced. It’s, at best, embarrassing to have a cyber security breach, but at worse it can destroy a business.
As with disaster recovery and business continuity, a significant percentage of business leaders do not, unfortunately, take cyber security seriously enough until they have their fingers burnt.
It can be difficult to believe that your business is at risk, as many think attacks are mainly focused on banks and large firms, but any business data which can be exploited by hackers for financial gain will be a target – no matter the size of the business, or the sector it operates in.
Even relatively simple attacks like ransomware or data theft for blackmail can cause havoc within an organisation that isn’t prepared. The Internet is, of course, global and a focused individual sat in a bedroom somewhere will be delighted to receive £2,000 for perhaps 20 hours work.
Learning from a breach
A good way to demonstrate the potential damage a cyber security breach could cause is to have an independent black hat and white hat attack or audit carried out by a third party. It really highlights the danger when the CEO is presented with print outs of his emails, pictures of his family, salary information and the like.
Another sensible way to engage the C-Suite is to undertake ISO 20000 certification. A significant percentage of the standard is to list all the risks associated with all parts of the business. Once this has been drawn up controls need to be assigned to mitigate those risks. The CEO, or another c-level executive, is then shown and explained all of the potential risks and controls, and then must make the decision whether to invest in the controls or to accept the risk.
All too often you will the responsibility for cyber security placed solely in the hands of the IT Director or another senior member of the IT department, but really it must be dealt with at board level – just like any other serious threat to the business. Undertaking ISO 20000 certification places IT Security straight in the lap of the board and allows them to see the risks first hand, increasing their accountability.
No company can say they have zero-risk of a cyber security breach, so it’s important to be aware of your risk profile now before the worst happens. By understanding the risks to your business, implementing the appropriate controls and having a documented procedure for protecting your business from breaches and their aftermath you can keep that risk at an acceptable level.
Robert Rutherford, CEO of QuoStar