The percentage of organizations attacked at least one time per year according to the 3rd edition of the annual CESIN survey (CESIN – Digital and Information Security Expert Club). In other words, virtually everyone. To make things worse, 50% of organizations have noticed an increase in the number of attacks this past year, with 25% reporting concrete impacts on their business (production downtimes, website shutdown, loss of income, etc.).
Digital security is a topic that reaches far beyond IT. The development of tools in the cloud, mobile applications, instant messaging and payment tools are as much business accelerators as they are potential attack vectors. To defend effectively against these attacks, training and awareness should be everyone’s concern. With the power to raise cybersecurity at a real strategic level to protect an organization’s assets, this is especially true for management.
What are the dangers for organizations online?
Let’s forget about viruses, malware and scams for a moment. These threats are commonplace, and are generally well anticipated by most organizations. This does not mean attacks are no longer making any victims. But there is another concern that is increasingly affecting organizations: Threats that can lead to significant losses, not only financial and operational, but also damages to the brand.
- Destabilization: Involves taking possession of an information system (website, intranet, mobile application or email server) to distribute hateful, extremist, racist, terrorist or xenophobic messages. The repercussions mainly concern the corporate image. If an organization is unable to protect its own communication channels, how could it protect the confidential or personal data of its clients?
- Spying: The intentions are as varied as the potential consequences. Generally, attacker try to enter a system to obtain confidential data that can then be made public, sold to a competitor or used for their own purposes. Between theft of technology, patents or technical solutions, and the theft of sensitive personal data (medical records, criminal records, personal files, etc.), modern spies possess a wealth of information that can have a lasting impact on an organization. This is even more true when an intrusion remains under the radars for weeks or months, because unlike destabilization, espionage seeks to remain as discreet as possible.
- Sabotage: Digital version of a bomb where the goal is to do maximum damage. It is a destructive attack that can neutralize thousands of computers, servers or very specific software such as those found in hospitals, drinking water management units, nuclear power plants, etc. In short: aim where it hurts.
How to raise awareness at the management level
In the face of all these dangers, should we become scaremongers? No, but we need to be careful.
The good news is that solutions exist and are available to organizations. However, without guidelines provided by the management team, these solutions may be more complicated to implement when the time comes. If the CIO is the linchpin of data and communications security efforts, management must drive them. To achieve this, it is necessary to be clear and concise, and resist using technicalities to convince decision-makers with relevance and effectiveness:
- Avoid generalities and present specific risk factors. More specifically, what are the three main risks? What information should be absolutely protected, and how is it exchanged and stored?
- What do competitors or comparable organizations in the industry do? What are the best practices of the moment? Take the time to document situations and practical cases. Share that all organizations face the same challenges, and that you are not an isolated case.
- What is the cost of an intrusion? Prepare different scenarios: theft of personal data, sabotage, espionage, etc. How much would disaster recovery cost? What would be the loss of income? What are the risks of financial penalties if the organization does not have a security system in place?
- Prepare a concrete case of a computer attack: where does the attack come from? How did it bypass current defenses? How long can it remain undetected? What data may have been stolen?
Myths and popular ideas
Without being cybersecurity experts, management can have a vague idea, or worse, feel strongly about the subject. These are limiting beliefs that generally prevent any argumentation. Unless you are well prepared. Examples.
Cybersecurity is not a relevant topic for our organization
This is a classic argument, especially for SMBs. For organizations that still perform a significant portion of their work offline, it is hard to understand why cybersecurity is so important. However, a simple email or a connected smartphone is enough to infect an entire information system. Not to mention that the new European GDPR regulation forces organizations processing personal data to do everything possible to protect them. In addition to potential loss of reputation, the organization could also face a heavy financial penalty for negligence.
We do not have the means
Your board or management considers direct and indirect security costs as a liability, not an investment. Yet, it can afford insurance covering the buildings or assets of the organization. The same applies here. The slightest security breach can generate operating losses one hundred or one thousand times greater than the cost of protection.
We are not worried about anything
This is the time to pull out the list of all cyberthreats you have countered so far: spam, phishing, viruses, malware, various hacks, social engineering … Be exhaustive! The goal is not to scare, but to show the reality of the threat landscape as it is today.
We will see the day problems come up
It is probably the most frustrating and the least consistent argument, but you have to accept it. For this, you need to present clear and elaborate scenarios. Step 1, emails stop working. Step 2, local files and databases are encrypted. Step 3, confidential information is leaked.
An attack can lead to a total loss of productivity. And waiting for an incident to happen before reacting could very well mean there is no longer a need to react due to the organization being completely paralyzed. Bankruptcies caused by cybercrime are not a legend.
In terms of cybersecurity, it is essential to work with management. Management plays a strategic role and must include cybersecurity in all considerations. Understanding that security is everyone’s concern is a transversal effort that must rely on the CIO, HR and Communication for a holistic vision of the challenges encountered.