Upper management must get more involved
It’s my view that cybercrime is one of the top 3 threats to every company in the world, and one of the most significant problems faced by humankind in developed countries. Cyber threats have evolved, and no longer target just computers, networks and smartphones. The advance of the Internet of Things (IoT) and general global connectivity means they also affect people, cars, railways, airplanes, banking systems, electrical power grids and pretty much everything else. The more things we connect up and make smarter, the more targets we create.
What is also true is that many companies lack the right information about cyber threats at senior management levels. And this is not a sustainable way forward.
Managing digital risk in the modern era
This lack of information at senior levels means that companies too often take a reactive approach, only responding and spending money on cybersecurity after an attack or breach. According to Fortinet’s 2017 Global Enterprise Security Survey, corporate boards “appear to be more involved in post-breach management than prevention – only taking action as a result of security breaches in 93 percent of cases”.
Today cyberattacks are the fastest-growing crime in the US, and continue to increase in size, sophistication and how much they cost companies. So they need a more proactive approach to protect against them.
How best to address cyber threats?
Something else it is important to remember about cybercrime is that attacks can happen to all types of organizations, from Fortune 500 global MNCs, through mid-sized companies, down to small businesses. But how to combat cyber-attacks? One good way is to begin with a dashboard. And a cybersecurity dashboard should be simple to use, easy to understand, and it should also allow Executives to take decisions based on information available to them.
For example, the dashboard should use pertinent Key Risk Indicators (KRIs) that provide hard data. Reporting the number of blocked attacks cannot be considered as a pertinent KRI: no decision can be taken based on this figure. As the main risk to an organization’s cyber security is in an employee downloading a file or clicking on a malicious link, we need to have numbers and percentages for that type of action. Phishing and spear-phishing are now huge problems, and between January 2015 and December 2016 there was a 2,370 percent increase in the financial impact of spear-phishing while companies really are struggling to combat phishing attacks in general. In 2017 Phishme found that 91 percent of attacks start with phishing, so that’s something we need to be able to measure.
To address that, organizations need to carry out phishing security campaigns that raise awareness of the issue with management and also carry out training to improve employees’ skills to detect phishing emails. Using a dashboard to measure and report scores can enable these improvements.
What other steps can we take?
Prepare as much as possible and operate on the assumption that you or your organization will be the target of a cyberattack at some time or another. Because of AI, you will generally be one step behind the attackers, so you have to change your mindset – and think like a hacker. If I were a hacker, how would I target my company’s top executives?
Working with the right partner certainly helps, because you can have all the most up-to-date cybersecurity tools in your company, and have well-qualified staff, but they still won’t necessarily have experience of the very latest, up to the minute information on threats. What are the current attacks, how to contain a new type of attack, what is the error to avoid?
How Orange can help
At Orange we have the biggest seamless voice and data network in the world and we work on cybersecurity 24/7. Our Computer Security Incident Response Team (CSIRT), comprised of cybersecurity experts, responds to customer issues instantly.
Furthermore, we provide consulting to support customer CISOs and CSOs in assessing the level of cyber risk faced by their company, not only from a technical perspective but also from a strategic business perspective. We then work with them to create a cyber risk dashboard that is customized for each respective customer.
One other thing I have found recently: today I do not tell people that my job is about “cybersecurity” because that does not seem to cover enough. I tell people that I work in “business protection”, because that really is what cyberdefense is about now. Companies are facing unprecedented and unacceptable risks: but executives must be able to understand that fact. So security needs to be explained in a way that can be understood by senior people and know immediately if there is a major problem.
Johny Gasser is an international security expert with over 15 years’ experience of helping multinational companies to address cyber security effectively. He joined Orange Business in 2005, having previously been an IT auditor and information risk management advisor at KPMG.
Johny is considered an international leader in information security, regularly speaks at high level conferences around the world and contributes articles to newspaper and magazines. He operates as the “missing link” between business activities and information security or cybersecurity.