Who owns cybersecurity? asks Rick Jones, pictured, CEO and Co-Founder, of the cyber security company DigitalXRAID.
According to research towards the end of last year, one in five UK home workers had not received training or awareness on cybersecurity threats. Before the mass shift to remote working, this statistic may not have raised so many alarms. Yet, with repeated national lockdowns inflicted on us due to the pandemic, and the hybrid workforce model set to stay for the foreseeable future, appropriate cybersecurity training and guidance on staying secure while workers are remote is an essential part of an organisation’s cybersecurity posture.
Home working has also acted as a catalyst for the growth in ‘BYOD’ policies. Now, with many companies having to allow their employees to use personal devices for work purposes, the chances of an unsecured device accessing an organisation’s network has increased exponentially, meaning that threat detection becomes more difficult, and vulnerabilities are further exposed. Pair the growing threatscape with the inevitable employee apathy and more relaxed outlook that comes with a remote working lifestyle, and it is no surprise that, according to a Zero Trust Survey by Gigamon, 84 percent of respondents said that their organisation had seen a rise in the number of threats since the start of 2020.
In an era where we have all effectively become our own compliance officers, many are questioning who exactly is responsible for cybersecurity within an organisation – is it the individual employee, or the IT and security team? I would suggest that it is everyone’s responsibility to take ownership for their actions given the right training and tools. However, ultimately, cybersecurity strategy and ensuring a security first culture must be driven from C-suite leaders and business directors across the entire organisation; security must be championed from above as being part of the DNA of an organisation.
The top-down approach
A strong cybersecurity strategy should include a proactive approach involving people, process and technology. However for many, implementing a cyber strategy is reactive and only comes after experiencing the detrimental effects of a security breach first-hand. Until a company faces the financial repercussions of ransomware or experiences the loss of customer trust after critical data is breached, the ROI of implementing a secure defence system can go unnoticed or not be deemed worthy of the investment required. Without a measurable incentive to invest, budgets can go unapproved for months, even years, leaving businesses vulnerable for extended periods of time. However, it is important to consider that, according to a Ponemon Report, organisations currently spend $3.86 million (£2.9 million) recovering from security incidents.
Unfortunately, it is now becoming a case of when, not if, cyberattacks occur. A top-down approach is therefore necessary in every organisation, with business leaders driving cybersecurity decisions and encouraging a security-first mindset that filters down from the C-suite into each and every department. It is also key for business leaders to provide training opportunities and make educational resources readily available in order to arm their team with the right knowledge to recognise and thwart hackers. Without an organisation’s senior management team really hitting home the importance of security and compliance, it is impossible for the message to be meaningfully appreciated by any employee.
The NetOps team
The top-down approach also allows senior management to work collaboratively with their IT department. Ultimately, both the IT experts and business directors are working to optimise and improve business processes, yet the former is doing so through cyber-risk prevention tools and technology, and the latter is focusing on revenue objectives. By working together, IT and management can create a streamlined strategy that keeps business secure and protects their reputation.
So, for NetOps teams and InfoSec professionals, their responsibility over cybersecurity is not only to deploy, maintain and optimise the technology that will bolster their defence strategy, but also to communicate with the C-suite on the importance of cybersecurity, and to demonstrate that they are working towards the same goal. Alongside identifying network vulnerabilities, and patching where necessary, IT experts must work closely across the business to ensure that the security-first mindset is not just prioritised in their own department.
The insider threat
Responsibility is not only on the IT teams and their network detection tools, nor the C-suite leaders with their cybersecurity education programs. Ownership of an organisation’s defence strategy also belongs to the individual, as humans provide just as many vulnerabilities as an un-secured device or network blind spot.
In fact, the insider threat is one of the largest a business can face. This vulnerability can take the form of human error, for instance, being susceptible to sophisticated spear phishing attack and lacking the knowledge or incentive to report it. According a survey last year, 57 percent of UK IT decision makers believe that remote workers will expose their organisation to the risk of a data breach, due to the lack of concentration and vigilance that comes with working from home. However, it can also be more sinister than ignorance, as Deloitte found that 26 per cent of their survey respondents reported that, in the uncertainty of today’s environment, they are tempted to keep copies of valuable company data in case it becomes insolvent or they lose their job. Whether lacking focus and falling victim to hacking by error, or maliciously sharing data as a disgruntled former employee, it is clear that each individual member of the team has a significant role to play in protecting an organisation from threats – both external and internal.
It is impossible for an organisation to have a strong defence system in place and for employees to believe in a security-first mindset if it is not being encouraged from top. However, as long as the internal NetOps team and the C-Suite are communicating, as well as educating and training their staff on the importance of cybersecurity, it then becomes an individual responsibility as well. Each remote worker must accept that they have a part to play, and understand they are ultimately a threat to their company’s cybersecurity strategy.
