Not so long ago ‘cyber-security' was a term rarely uttered in most boardrooms. It was left up to the guys in the basement to ensure that systems and data were safe in case any bad guy showed up unannounced. Security breaches are now on the front page almost every day and causing major headaches for companies that didn't place quite as much importance on the issue as they should have. So recently the tide has changed and the upper echelons of the business world have begun to take note. Information security has started to gain the attention of the c-suite, but it's still a long way from being considered business critical – which is where it should be.
Once more unto the breach, dear friends
The amount of data we're generating and storing is almost unfathomable. Some of it's useful for businesses and helps inform decisions, some of it is useful for consumers – payment details helpfully saved for repeat purchases, credentials remembered to allow for ease of login upon subsequent visits, and so on. So while all this data stored online has its benefits, it also has its risks. As we've embraced the digital world and have entrusted trade secrets and personal details to unseen storage systems; hackers have risen to the challenge and taken advantage of security gaps and unwitting users opening erroneous file attachments with free abandon.
The impact of a breach often varies depending on the severity, the type of business and the response, but very few come out entirely unscathed and damage to both reputation and the bottom-line is all too common. It's estimated TalkTalk lost £80m and 100,000 customers after a 2015 cyber-attack, while Target saw sales fall by 46 percent year-on-year after its 2013 breach. Away from the usual loss of customers and impact on revenue, Seagate is now facing a possible class-action lawsuit from employees after their personal details were stolen during a breach. And who knows what will happen with Verizon's acquisition of Yahoo now they have admitted to the largest data breach to date?
It may have taken the misfortune of many, but businesses can no longer hear the canary, and have realised that something is going wrong. More are now employing chief information security officers (CISOs) to oversee the protection of data and networks. Finally, security is on the agenda of the boardroom – but we still have a long way to go.
Any other business?
Security being on the agenda every now and again is a good start, but the way security is considered at the board level needs to change. Until a serious security incident occurs close to home, protecting the company's networks and information is too often seen as an expensive and resource-intensive process that drains budget and offers little ROI. Having a CISO present at the board meeting is progress, but without the backing of the board, it's a constant uphill struggle to make any meaningful difference.
Marketing, HR, legal and other business functions are all seen as critical. Most organisations would recognise that they couldn't function without staff or customers, but fewer recognise the same can be said of security. As a consequence, security strategies may not be as robust as they could be. Solutions are implemented on an ad-hoc basis, and consequently cohesion and visibility across systems suffers. This fire-fighting approach can't go on much longer. Not only does it increase the risk to a business, but it can also make implementing new technologies a headache and slows down innovation.
This attitude has to change. We need to start encouraging organisations to think more of security as what it is, a business enabler. A function that underpins the organisation and allows it to be agile and innovative without fear.
In this piece, I won't speculate on where technology is going next but if the next decade is anything like the last one, the pace of change is going to be rapid to say the least. Devices, users and information will only become more integrated, more connected and more powerful, with the result that security will become increasingly impactful.
The businesses that re-think their security posture now and have flexible, scalable and adaptable systems in place will be the ones best positioned to embrace what's in store and gain the competitive advantage. If that isn't a business enabler, I don't know what is.
Contributed by Justin Dolly, CISO, Malwarebytes