What can business leaders learn from a cybersecurity breach?
31 July 2017
As attacks against IT infrastructure are typically all about money they are becoming more frequent and advanced. It’s, at best, embarrassing to have a cybersecurity breach, but at worse it can destroy a business.
As with business continuity, a significant percentage of business leaders do not take cybersecurity seriously until they get burnt.
It can be difficult to believe that your business is at risk, as many think attacks are mainly focused on banks and large firms. However, if hackers can exploit your business data for financial gain then you will be a target. No matter what size your business is or sector you operate it.
Even relatively simple attacks like ransomware or data theft for blackmail can cause havoc within an underprepared organisation. The Internet is global, and a focused individual sat in a bedroom somewhere will be delighted to receive £2,000 for perhaps 20 hours work.
Learning from a cybersecurity breach
A good way to demonstrate the potential damage a cybersecurity breach could cause is to have an independent black hat and white hat attack or audit carried out by a third party. It really highlights the danger when they present the CEO with printouts of his emails, pictures of his family, salary information and the like.
Another sensible way to engage the C-Suite is to undertake ISO 20000 certification. A significant percentage of the standard is to list all the risks associated with all parts of the business. After this, you need to assign controls to mitigate the risks. You will then need to show the CEO or another c-level executive, and explain all of the potential risks and controls. It up to the CEO or senior executive to decide whether to invest in the controls or accept the risk.
All too often you will the responsibility for cybersecurity placed solely in the hands of the IT Director or another senior member of the IT department, but really it must be dealt with at board level – just like any other serious threat to the business. Undertaking ISO 20000 certification increases the board’s accountability for IT security, by allowing them to see the risks firsthand.
No company has zero-risk of a cybersecurity breach, so it’s important to be aware of your risk profile now. If you understand the risks, implement the appropriate controls and have a documented procedure to protect your business from breaches and their aftermath you can keep that risk at an acceptable level.
Robert Rutherford, CEO of QuoStar