According to the latest PwC CEO Survey, one of the issues keeping CEOs awake at night is cyber security. 53% of CEOs surveyed said they are worried about cyber security breaches affecting business information or critical systems.*
This isn’t surprising as the number of cyber attacks continues to rise. According to Gemalto’s Breach Level Index “2016 saw 1.4 billion records compromised in hack attacks,” which represents an 86 percent increase in data breaches compared to 2015.**
So what’s the largest contributing factor to cyber security issues? People. Although IT systems can be designed to remove and reduce the possibility of human errors, at some point in almost every system, humans have to make very important decisions. And the truth is mistakes will always happen – that’s one of the quirks of being human.
This is evident in several high profile public security breaches like the Ministry of Social Development (MSD), where personal information was compromised because “… (MSD) staff woefully under-estimated the risk of a malicious attack,” and did not follow established procedures.***
The error was a simple case where someone was given an incorrect permission setting so they had access to information they weren’t meant to see. While this is an easy mistake to make, the damage to the MSD’s reputation was significant. And as companies continue to place more emphasis on driving new innovations and demand faster delivery of technology, mistakes like this are bound to happen. As businesses obsess with speed to market, in the rush to get things done, processes and due diligence sometimes slide. Companies who fail to take time to fully assess the potential security implications are opening themselves up to risk.
So what can companies do to minimise their security risks?
- Create a “security first” culture and empower your people
Good security practices play a crucial role in helping companies achieve their business goals, so its vital companies invest in creating a “security first” culture.
In a “security first” culture, IT security is seen as a business priority, equal in importance to all other priorities, which each and every person within an organisation is responsible for. Your people should have a clear understanding of the risks posed by cyber threats, how these could impact your business and what part they as individuals play.
In addition to regular training and policy and procedure updates, companies should also consider how they’re going to drive behaviour that actually makes your policies and procedures work. In a “security first” culture, all of your people should feel empowered to speak up when they spot potential threats or suspect something isn’t right.
- Invite your security experts to the table
One of the key advantages of Agile development methodology is it encourages companies to get all their stakeholders together from the outset when workshopping or brainstorming a new idea or product. Companies often pull in marketing and sales, product development, project managers, developers, UX and UI designers, which leads to the creation of some really cool things. However few companies invite security architects, their IT security team or even legal teams to these discussions. Why?
Involving IT experts at the ideation stage will help ensure information security remains a high priority. The earlier you involve your security experts, the less likely you are to develop solutions which may inadvertently expose your business to security threats.
- Teach your teams to ask the right questions
In a rush to continually deliver new innovations to customers faster, some businesses build prototypes to validate a concept. We show these prototypes to users/customers to get feedback, we refine them and then we release these prototypes to more and more users to gain better insights. We often rush in without pausing to consider the checks and balances of what information is being captured.
Sometimes this means key questions are overlooked. Questions like “Do we need all this information?”, “How are we storing this data?”, “Who will have access to the data?”, “How long will the data be retained for?” etc.
In companies with a “security first” culture, every person feels comfortable asking these questions throughout a product development cycle. Everyone feels like they can put their hand up and point out the risks of moving too fast. You should strive to get to a place where your people can confidently say “Hey, I think there is a problem here,” and know their voice will be heard and acted on.
- Take care when adopting technology solutions for a different purpose
One of the best things about technology is we can often take what we’ve created and adapt it slightly to solve a different challenge. However using systems or products in ways which differ from their intended purpose can be risky. When it comes to assessing IT security we need to examine the entire environment we’re operating in. Each operating environment is different depending on the outcomes and outputs of the challenge we’re dealing with. This means just because you’ve done IT due diligence once, doesn’t mean you won’t need to do it again when faced with new challenges, or in fact over time as situations and environments change.
- Collaboration tools are great – yet they don’t keep your data private
Collaboration tools are fantastic for allowing people to collect and share information in real time. At their core, they are designed to share data. However they don’t keep data private. The same can be said for social networks. Before rushing into using a solution, take the time to investigate each platform so you can find one which will serve your intended purpose. When choosing a shared network or social platform, ask yourself:
- What will happen if this information is released?
- What will happen if another user of the system can access this information?
- What happens if we lose this information or it’s deleted?
- What is the minimum set of data we need to achieve the outcomes we’re looking for?
Again in a security-first culture, these questions would be asked early in the process so we can design, build, or purchase tools that are appropriate for their intended purpose.
While CEO’s are right to be cautious about the potential risks cyber security poses, by focusing on creating a “security first” culture they can sleep at night knowing their whole organisation is taking responsibility for making IT security a priority. Companies who successfully do this will reduce their exposure to security risks which could cause them to lose credibility with their customers and inhibit their ability to achieve their business goals.
Nick Langstone is a Software Delivery Manager at ClearPoint who’s passionate about solving business problems using the best technology. If you’d like to talk about any of these topics, flick Nick a message via LinkedIn https://www.linkedin.com/in/nicklangstone/ or give us a call on +64 9 373 4626.
*Source: PwC 20th CEO Survey, February 2017 http://www.pwc.com/gx/en/ceo-survey/2017/pwc-ceo-20th-survey-report-2017.pdf
** Source: Find Biometrics, March 2017 http://findbiometrics.com/billion-records-compromised-hacks-403283/
***Source: The Ministry of Social Development https://www.msd.govt.nz/about-msd-and-our-work/newsroom/media-releases/2012/it-breach1.html