We live in a world where not a day goes by without a new cybersecurity breach, data encryption, stealing business data, or infecting personal and professional devices with a new type of malware no-one even knew existed.
In the past year alone, a serious cybersecurity attack on Slovenia’s biggest commercial TV and an attack on one of the largest world IT management tools, Kaseya, have occurred. There have been attacks on the biggest US oil line, Colonial, and the biggest Brazilian supplier of beef and pork, JBS. Let’s not forget about the critical errors in Microsoft and Apache Foundation software, which caused damage to thousands of enterprises and organizations all over the world regardless of the industry or the size.
Comparing cyber attacks between 2009 and 2020 shows that the types of attacks in the last decade have not changed much. The emphasis on using soft components – educating management and employees on cybersecurity threats is therefore crucial!
How serious the danger of cyber attacks is can be gathered from the fact that the US Government has put out the same amount of reward money for information about leaders of organized crime dealing with cybercrimes as for the most-wanted terrorists – USD 10 million.
Management and Cybersecurity
The management and the executive team of a company need to be in sync regarding risks connected to cybersecurity threats. The board’s responsibility is to ensure that the executive team has a plan, is prepared, and that the entire organization is braced for a possible attack. You shouldn’t wonder whether an attack will happen; The real questions are the following:
- When will the attack happen?
- Is the organization ready for attack detection?
- Is the organization ready for attack prevention?
- Can the aftermath of the attack be mitigated and can business return to normal ASAP?
The cybersecurity of a company and the risks connected to it shouldn’t fall on IT managers alone, the entire management should be aware of them:
- CEOs need to understand the legal consequences of cybersecurity risks as they are directly connected to the company’s operations.
- CEOs need to understand and approach cybersecurity as a strategic risk of the company, not just of the IT environment.
- CEOs need to expect that the management will implement a framework for managing cybersecurity risks for the entire company with the adequate resources.
- Management boards need to have access to professional knowledge about cybersecurity and managing risks needs to be frequently addressed on meetings.
- Management’s discussions about cybersecurity risks need to include the identification and evaluation of financial exposure to cybersecurity risks that need to be accepted, mitigated, or transferred together with detailed plans connected to each approach of risk management.
Many companies and organizations start working on their cybersecurity budget under the wrong assumption – that they will probably never be attacked. That is why they believe they can lower their protection investment. A lot of companies learn the hard way that attacks can occur whenever, to whomever.
It doesn’t matter if the company is big or small as attacks are frequently random and automated. In many cases it’s like being a clay pigeon at a shooting range. If organizations use specific software or hardware and it has unknown vulnerabilities, you can be successfully attacked.
One of the biggest errors when building and assigning resources to cybersecurity plans is equal spreading of resources to all cybersecurity areas in an attempt to generally lower the risks. The main issue with this approach is that organizations will not contribute enough to areas that pose the highest risk as they will spend too much on low-risk areas. In some organizations, the security of a supply chain and its basic operational technology can be much more critical for business operations than cloud security.
MANAGING CYBERSECURITY RISKS
The management of a company can deal with identifying, mitigating, and transferring risks when managing business processes and maintaining cybersecurity. Identifying and analyzing risks connected to cybersecurity is an excellent starting point for shaping guidelines for wise investments into different cybersecurity aspects.
You can perform a cybersecurity analysis of your company together with NIL’s experts. The workshop will include performing an analysis of security controls in your environment together with your employees. The final report can serve as a starting point for planning cybersecurity in your environment, comparing the ideal state to the existing one, or ensuring that your company is prepared for the worst.
Author: Stojan Rančić, IT architect, NIL
This article was first published in the MQ magazine (#50, April 2022).