Isn't It Ironic? Every Month Calls for Cybersecurity Awareness
by Rob Treacey, Senior Director Professional Services & Head of EMEA Security Practice, Rackspace Technology
Last month, I heard the Alanis Morrisette classic, "Ironic," on the radio. That's when it hit me: Just because October — Cybersecurity Awareness Month — is over doesn't mean we should relax now that it's November.
Every hour and every day, for 12 months a year, every one of us must take steps to ensure that our online lives are safe and secure.
Cybersecurity means different things to different organisations, so it is essential to define how cybersecurity threats impact yours. Consider how your organisation will evolve in the future and any new security risks introduced, specifically through:
- Introducing new products and services
- Operating in new locations
- Migrating from an on-premise environment to a Cloud environment
- Transitioning to a paperless environment, and
- Outsourcing services to third parties
Seven Ironies of Cybersecurity
1. Cybersecurity awareness doesn't end in October. As hackers continue to exploit organisations 24x7x365, your company should make cybersecurity training and awareness ongoing rather than an annual activity. When staff are assigned yearly information security training because their organisation has mandated it, we all know that most people simply want to complete the training, so they do not appear red on any completion tracking report.
Make security a 'modus operandi' in your organisation where all employees understand their role in protecting information assets — and are doing the right thing.
2. Clicking the link. We are told daily never to click on a suspicious link. Then, during Cybersecurity Awareness Month, we are told to click on links to articles regarding the safe vetting of suspicious links! (To learn more about Irony Number Two, please click the link. Now that I have your attention…)
3. When an organisation states that cybersecurity is a high priority, then reveals its annual budget to be $100. Of course, I'm exaggerating, but you see my point! Cybersecurity was critical before COVID-19—and is likely even more so now. A 2020 Deloitte survey found spending is increasing but is it proportional to need? Although numerous articles on the internet say that organisations should spend approximately 15-20% of their annual budget on security, the average spend is in the 7-10% range.
The bottom line here is that every company is different. Your security outlay should be proportionate to the assets you are protecting. You could be a small organisation processing a significant volume of personal, or special category data, or a huge corporation that processes a relatively small volume of personal data. The objective is to strive to be proportionate to the risk exposure. If a breach would result in irreparable reputational damage, significant customer loss, or regulatory non-compliance, you'll probably require a healthy security budget.
4. When the number of cyber-attacks continues to increase, and yet the CISO still doesn't have a seat at the executive leadership table. According to a 2020 Deloitte survey of large financial institutions, CISOs typically report to the CIO or CTO in their organisation. Not only are CISOs pushed down within the organisation, and not given a seat at the top table, they are still incorrectly categorised as IT.
Information Security, with cybersecurity as a subset, has evolved from simply managing IT controls. It is now an end-to-end business function, and the data owners reside within the business. Therefore, a CISO must be an influencer; a strategic thinker and possess the ability to liaise with multiple stakeholders such as HR; risk and compliance; heads of business; marketing; external suppliers and executive management to ensure data assets remain protected and that existing, new or emerging threats are appropriately managed.
The role of the CISO and the broader security team is to educate all staff. A CISO must be the "glue," communicating security requirements to everybody in layman's terms.
5. When an organisation's board, including its Non-Executive Directors, declares greater focus on cybersecurity and then uses personal email addresses to conduct its business. I have seen this far too often — sending and receiving confidential business documents, including minutes of board meetings, using Hotmail and Google personal accounts. Give these vital players a business email account and ensure that they use it. Security starts from the top down, and no one should be exempt from abiding by an organisation's security policies and procedures.
6. When someone asks, "Can you provide a solution to stop all cyber-attacks?" Only if you can disconnect from the Internet. Seriously, when a customer asks if they are fully protected from cyberattacks, the answer is, "If there were a product that protects somebody from every single attack, everyone would buy it, and then hackers would be trying to circumvent it."
Cybersecurity is a multi-faceted and multi-layered approach that will constantly change. Companies must remain ever vigilant. While there is no silver bullet, your organisation can help itself by:
- Being proactive
- Embedding security into everything you do, and not just as an afterthought
- Educating staff and focusing on people, processes, and technology
7. When an organisation's primary focus is on protecting itself from cyber-attacks, it still operates in a predominantly paper-based environment. For example, I once worked with an organisation where the executive focus was around Cyber Security, and yet the organisation was storing copious amounts of paper records in a shared basement; next to a room full of gas canisters; in unlocked cabinets; and with most of the master records sitting on the floor. So it's not only about electronic data. You must protect your physical documents, too!
"Isn't it ironic," in the inimitable words of Alanis, that cybersecurity — both the "month" and the topic, is littered with paradox?