Story image

IT security increasingly becoming a board-level issue

16 Oct 2017

Article by Daniel Crnkovic, Content Security General Manager.

Many organisations have traditionally placed responsibility for their cybersecurity squarely in the hands of the IT department. This is a situation that is now rapidly changing.

Throughout the world, management boards are recognising the risks associated with security breaches are so significant the issue needs to be dealt with at the very top of the organisation. It's no longer sufficient to sign off on an IT budget and then not consider the issue any further.

This change in attitude has occurred in response to the increasing number of high-profile cyber incidents affecting organisations of all sizes. From ransomware attacks that cripple core systems to phishing scams that result in data theft, the impact of attacks can be significant.

Recent examples include the WannaCry attack that targeted computers running Microsoft's Windows operating system earlier this year. The rogue code infected more than 230,000 computers across 150 countries in a matter of days.

More recently, one of the worst data breaches in United States history occurred when hackers gained access to the data stores of credit reporting agency Equifax. The personal details of more than 143 million customers were compromised.

In Australia, board-level attention being given to IT security is being further fuelled by the mandatory data breach disclosure laws that come into effect in February next year. Under these laws, any organisation that is accountable under the Privacy Act will need to alert the Australian Information Commissioner and members of the public if their data has been compromised.

For board members, another key issue is business risk. They understand that, if a cyber incident disrupts operations or causes privacy breaches, they are the ones who are ultimately responsible. Just as the fallout from any other type of decision can result in a 'please explain' request from shareholders and regulators, so too would news that failure to take necessary security steps had led to a breach.

Thorough assessment

The first step for a board is to arrange a thorough audit of all the security tools and practices currently being used across their organisation. This review should examine all critical assets and determine what measures are in place to ensure their protection.

Assets should include all IT hardware including end-point devices, servers, networking gear and backup facilities. The review should also examine all software applications and data stores including any held within third-party hosted or cloud-based facilities.

A comprehensive gap analysis can then be performed that will serve to highlight where changes and further investments are required. This also ensures that any money spent is targeted at precisely where it's required rather than ending up funding knee-jerk reactions to perceived weaknesses.

A platform approach

In many cases, following comprehensive reviews of their organisation's IT security capabilities, management boards are opting to shift away from the purchase of point products and services and adopt a platform-based approach.

Taking this approach delivers a range of advantages including:

  • Improved consistency: An IT security platform offers a more holistic and consistent approach to security across the organisation. Rather than buying particular tools or services to address discrete issues, a more comprehensive solution can be created that maximises resilience to threats.

  •  Fewer required skill sets: Reducing the number of individual security tools in use also reduces the number of skill sets required to manage them. Rather than needing to learn the intricacies of a broad range of security products, IT staff can instead focus on the chosen platform and understand it in depth.

  • Lower purchase costs: Investing in an integrated security platform can be significantly less expensive for an organisation than purchasing a range of disparate tools. Money saved can then be invested into other areas of the business.

  • Faster responses:  Having an integrated security infrastructure will allow IT teams to respond more quickly to incidents when they occur. Rather than needing to juggle different tools, a more holistic approach can be taken.

Boards also need to understand that effective security is not a one-off task where you can simply 'tick-the-box' before moving on to the next issue.  The chosen infrastructure must be constantly monitored and adjusted as the threat landscape evolves.

By ensuring security remains at the top of the list of items for consideration on an ongoing basis, the board can ensure their organisation is best placed to withstand attacks and maintain normal operations at all times.

Opinion: BYOD can be secure with the right measures
Companies that embrace BYOD are giving employees more freedom to work remotely, resulting in increased productivity, cost savings, and talent retention.
Sonatype and HackerOne partner on open source vulnerability reporting
Without a standard for responsible disclosure, even those who want to disclose vulnerabilities responsibly can get frustrated with the process.
OutSystems and Boncode team up for better code analysis
The Boncode and OutSystems alliance aims to help organisations to build fast and feel comfortable that the work they're delivering is at peak quality levels.
Nuance biometrics fight back against fraud
Nuance Communications has crunched the numbers and discovered that it has prevented more than US$1 billion worth of fraud from being passed on to users of its Nuance Security Suite.
Attacks targeting Cisco Webex extension explode in popularity - WatchGuard
WatchGuard's Internet Security Report for Q4 2018 also finds growing use of a new sextortion phishing malware customised to individual victims.
Developing APAC countries most vulnerable to malware - Microsoft
“As cyberattacks continue to increase in frequency and sophistication, understanding prevalent cyberthreats and how to limit their impact has become an imperative.”
Worldwide spending on security to reach $103.1bil in 2019 - IDC
Managed security services will be the largest technology category in 2019.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.