2016 cyber threatscape: How to raise awareness with the Board

5th August 2016Claire SteadCorporate, Education, News, Public Sector, SecurityNo comments

Cyber threats are no longer a niche affair only thought of by the IT department. Mainstream media publishes daily news of cyber attacks, data breaches, ransomware, and more, making it a growing concern of the general public.

The persistent threat of sharing your information with an organisation at the risk that it could be hacked, stolen and sold, makes the trust consumers put in organisations weaken. The scaremongering can make it difficult for IT leaders to know where to allocate their focus, with budgets being stretched so thin that it’s often too difficult to protect against every cyber threat. And that’s the biggest difficulty to overcome; that it’s just a threat.

The Oxford English Dictionary describe a threat as “the possibility of trouble, danger, or ruin”. But that clearly outlines the issue, that there is only a possibility of something happening. No wonder it’s difficult to get buy in from the Board to invest in advanced security measures based just on the ‘possibility’ of an attack.

Board members like hard facts, and numbers. The Sales Director spends his life wondering about the possibility of whether targets will be met, but puts his neck on the line to commit to a number nonetheless. This poses the question: Should the CIO be put in a similar position, forced to commit to the likelihood of one out of a number of threats and just put the wheels in motion to protect against that one threat, because that’s what they decided to commit to?

It’s a minefield out there, and I can see why so many reports say that CIO’s are underprepared for cyber attacks. The truth is, the Board need to weigh up the impact of the threats, and if they can really afford not to be protected. If sales targets aren’t met – the worst that can happen is probably a few layoffs. If a cyber attack sweeps your network, the reputational damage of data loss or financial damage of ransomware could literally wipe out your existence over night, and all that’s left is another news story about an organisation that was underprepared for the modern cyber attack.

So how should organisations prepare themselves for the ever-advancing threatscape?

Acceptance is key. Every business, establishment, school and hospital should acknowledge that they are at risk. It’s very common to expect that in general it is large corporations who are at risk, because they are the ones with the big pots of money. However the media tell a different story and also identifies schools, universities and hospitals being at risk. The reason these kind of institutions are desirable to cybercriminals is because for public sector organisations, their reputational damage is much higher and they often hold substantially more confidential details about their customers. The need to get back to business as usual as soon as possible often sees these kind of establishments paying out on ransomware attacks, just for the purpose of business continuity.

SME’s are also at risk because they are often have less budget to protect themselves, however they act as a perfect gateway into much larger victims (you can read more about this in our post from May: The true cost of cybercrime and why SME’s are a target). In 2016, there isn’t an organisation that could claim they are truly exempt from the risk of a cyber threat, but those with strong security measures in place to protect themselves are certainly most likely to sleep easy at night.

To make sure there is acknowledgement at Board level of the need to invest in such protection, it is the job of the CIO to calculate the true impact and risk of each cyber threat. For example, what is the true impact of losing data? How many customers could this affect, and how many could we lose? What is the financial impact of this, and how much new business will we lose because of the reputational damage? How much will it cost to repair this?

As you can see, the CIO alone would not be able to answer these questions, and would need the input from Sales, Marketing and Finance, at the very minimum, to draw these conclusions. Once this exercise is complete, having recognition from other departments on the true cost of the threat makes it much easier to get Board level sign off for investment in protection.