What can business leaders learn from a cybersecurity breach?
July 31st, 2017
As attacks against IT infrastructure are typically all about the money, they are increasing in frequency and sophistication. It’s, at best, embarrassing to have a breach, but at worse it can destroy a business.
As with business continuity, a significant percentage of business leaders do not take cyber-security seriously until they get burnt.
It can be difficult to believe that your business is at risk, as many think attacks are mainly focused on banks and large firms. However, if hackers can exploit your business data for financial gain then you will be a target. No matter what size your business is or sector you operate in.
Even relatively simple attacks like ransomware or data theft for blackmail can cause havoc within an underprepared organisation. The Internet is global. Someone out there will be delighted to receive £2,000 for perhaps 20 hours of work, without even leaving their room.
Learning from a cyber-security breach
A good way to demonstrate the potential damage a cyber-security breach could cause is to have an independent red hat and white hat attack or audit carried out by a third party. When you present the CEO with printouts of their emails, pictures of their family, salary information and the like, it really highlights the danger.
Another sensible way to engage the C-Suite is to undertake ISO 27001 certification. A significant percentage of the standard is to list all the risks associated with all parts of the business. After this, you need to assign controls to mitigate the risks. You will then need to show the CEO or another c-level executive, and explain all of the potential risks and controls. It up to the CEO or senior executive to decide whether to invest in the controls or accept the risk.
All too often you will find the responsibility for cyber-security placed solely in the hands of the IT department. But really it must be dealt with at board level – just like any other serious threat to the business. Undertaking ISO 27001 certification increases the board’s accountability for IT security, by allowing them to see the risks firsthand.
Every company could potentially suffer a cyber-security breach, so you must be aware of your risk profile. If you understand the risks, implement the appropriate controls and have a documented procedure to protect your business from breaches and their aftermath you can keep that risk at an acceptable level.