Who Owns Cybersecurity? IT Department or the Entire Organisation?

In 2017, we witnessed some of the highest profile, wide-reaching, cybersecurity attacks in history. The NHS was brought to its knees by the WannaCry ransomware attack in May of that year.  Later that same year, the news headlines had moved onto the massive Equifax breach, and then not long after that, the Uber attack appeared on our TV screens and social feeds. And, 2018 is no better. This year has been a ‘leaky year’, with 215 million records exposed in the month of August alone, the list of breaches being long and painful to look through. These figures are sobering to read for anyone working with data and people.

Whenever anything happens regularly, it becomes normalised. What this means to our businesses is that cybersecurity touches everyone.

In this article, we will look at how cybersecurity has crossed from an IT department afterthought into the general domain of our organisation to become ‘everyone’s problem’.

The role we all play in cybersecurity

Cybercriminals cannot sit back on their laurels. They are actually a pretty innovative lot. The basic computer virus of old that would enter our computers via a floppy disk now enters our IT systems in a number of clever ways. More often than not, cybercriminals use human behaviour to get past sophisticated software protection. Cybersecurity attacks now use manipulation of human behaviour and other human factors as a way to enact a malicious cyber-attack. This method is known as “social engineering”. The staff that we depend upon for our core business are themselves, the targets of the modern cybercriminal. Many of the most common cybersecurity threats are based, at some point in their execution, on tricking a human into doing something they shouldn’t.

The usual suspects

Certain methods of attack are understood to use people rather than technology to initiate a cyber-attack. They also happen to be the most successful in the theft of data.

• Phishing is the cybercriminals weapon of choice for a reason – it works. The APWG found that 76 percent of businesses experienced phishing attacks in 2017. And, they are working. According to the 2018 Verizon Data Breach Investigations Report, 30 percent of users open phishing emails and 49% of malware is installed over email.
• Spear phishing is like phishing, only the cybercriminal knows who they are going after. According to Symantec, Spear phishing is the number one way that malicious infection is achieved. It was used by 71 percent of organised groups in 2017.
• Business Email Compromise (BEC) is arguably, the most human-dependent cyber threat. The criminals who use this method are experts in surveillance and reconnaissance. They know your business and they often stalk your staff by email, social media, or phone calls to gain the knowledge need to carry out the crime. The scam ends in a theft. Staff are tricked into thinking the CEO, or other company authority is asking for a money transfer to a bank account (owned by the scammer). The scam is often multi-step and complex.

The cybercriminals are weaponising your staff

All of the above mechanisms are dependent on the staff within the target organisation. The cybercriminal then weaponises the staff. They become the detonator for the bomb. The phishing or spear phishing email contains the link or attachment, that when clicked or opened, detonates the bomb; the next step is malware infection or credential theft. This infection can result in anything from ransomware to data theft. And, it all begins with a simple click or open by an employee.

Creating a cybersecurity champion

Cybersecurity lies in the hands of everyone in an organisation. But a company cybersecurity champion can help to evangelise the message that security is everyone’s business. A security champion is an employee who has extra training in security issues. They are like an agony aunt for your organisation, giving advice and being available for employees as the “go to” person for general security enquiries and information. Having one or more security champions on your team is part of a wider movement towards building a “culture of security” within your organisation. The idea of having one or more individuals who act as an internal guru on security matters is becoming popular. Gartner is predicting that 35 percent of businesses will use one or more security champions in their business by 2021.

What we can all do to own and control cybersecurity threats

1. Create a human defence system against cybercrime: Cybercriminals use your staff as weapons to get what they want. So, we need to play them at their own game by turning our staff into a wall of defence. Making staff aware of how cybersecurity impacts their working lives is a step in the direction towards control. Security awareness programs facilitate this change in your organisation. They are designed to educate staff across the organisation about cybercriminal methods of attack. But they also modify behaviour by training people to spot security issues. For example, security awareness programs run phishing simulation exercises that teach employees what a phishing email looks like and what happens if you do ‘click the link’.
2. Place IT in a central role: The IT team need to be an integral part of rolling out a security awareness training program. It is their responsibility to ensure that security awareness training fits the business and is in line with business objectives. They also have the knowledge to encompass security awareness training within compliance requirements and security policies.
3. Use your board to evangelise and set the tone: The board has to take ownership for cybersecurity. When a cybersecurity incident hits an organisation, it can have deep repercussions including affecting brand image and share price. The board and the C-Level team are in a unique position to evangelise and encourage the culture of security which underpins a successful program of security awareness.

Owning Cybersecurity

The title of this article is “Who Owns Cybersecurity”. The truth is that it is everyone’s concern. The techniques used by cybercriminals have to be innovative.  They ‘up the game’ to avoid detection by security software, and in doing so, use sophisticated tricks turning employees into targets. To push back against the growing tide of cybercrime, we have to harden our responses and our employees are our greatest asset in this. Cybersecurity threat prevention is a company-wide exercise that can be strengthened through knowledge and education. Security awareness is about awareness for all. Working as a team we can beat the cybercriminals, together.