With so much talk over the past 12 months regarding the personal liability of Directors of organizations that are found to be non-compliant with GDPR by next May, and cyberattacks such as WannaCry making the national news, it would be hard for any C-level executive to have not put two and two together and place cybersecurity firmly on their next meeting agenda. In light of recent cyber threats, more and more businesses appear to be visiting sites like https://www.eatelbusiness.com/ seeking help in order to minimize the cyber threat.
If Directors listened to everyone who said that X or Y needs to be on the board’s agenda, their meetings would be never-ending. But in the case of cybersecurity, it would appear that the message is being heard loud and clear. In an article published by Infosecurity Magazine this week, it is reported that 25% of business decision-makers added cybersecurity to the boardroom agenda in the wake of WannaCry, with 58% believing their organization will likely or definitely suffer a cyberattack in the coming months.
This is welcome news to those of us that over the years have been shouting from the rooftops that good cybersecurity begins at the very top of the organization. Cybersecurity is so serious and important that there are lawyers who specialize in cyberlaw and help inform you of what to look out for and what steps to take to keep your organization secure. That being said, I fear for the remaining 75%. The threat landscape continues to evolve, attacks are becoming more targeted and sophisticated (WannaCry was an exception), SMEs are vulnerable to becoming collateral damage, as cybercriminals look for the weak link in the supply chain of bigger fish, and if they don’t get you the regulator will should you suffer a data breach. It is fair to say that organizations big and small are fighting a war on all fronts – as if the day job wasn’t hard enough already! Saying this though, it would be worth companies to know that potentially using penetration testing services could be just one answer to improving the security posture and help fine-tune security policies.
My advice to those C-level executives that are now switched on to the risk (and to those that soon will be) is looking for the obvious gaps and plug them quickly. All too often it is people that are the weak link, whether complicit or not. How many times a day do staff members share passwords to access online applications, or use each other’s desktops? Are passwords reset on a regular basis and if so are they just using the same easy to remember credentials, over and over again? This has become a standard daily operating procedure for so many of us (especially in smaller organisations) and most people are blissfully unware of the harm it could cause. What’s more, Directors can be some of the worst culprits for reusing passwords across corporate and personal accounts. There are some who have a grasp on cybersecurity using something similar to bgp routing to protect their systems from possible breaches.
One good option is to remove passwords altogether, so that that the burden of responsibility is not on their shoulders. Remember, if you suffer a data breach and are found to be negligent in safeguarding against such an incident, it will be the Directors necks that are on the chopping block.
Author: Steven Hope, CEO of Authlogics