Cyber security needs to be to tackled from all angles

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itwebafrica.com/home-page/opinion/235877-opinion-cyber-security-needs-to-be-to-tackled-from-all-angles

There has been extensive discussion on the topic of cyber security threats,
highlighting the need for organisations to be mindful of the impact on
their reputation and bottom line should a cyber breach occur. With the
proliferation of the connected workforce and the spread of mobile devices
into every aspect of our lives, the risk of security breaches and data
theft has increased significantly too.

Despite substantial media coverage on the issue, corporates are generally
not doing enough to protect themselves as well as their employees from the
risks in cyber space. Organisations need to examine how they can better
equip their workforce to deal with data breaches and understand that every
employee poses a potential risk to the organisation in terms of IT
security. In so doing, it will become evident that it is critical for the
CIO and CEO to be on the same page with regards to cyber security, as
technology alone cannot protect against a myriad of possible cyber-attacks.
In short, cyber security is a shared responsibility that needs to be
tackled from all angles.

Cyber security is a growing global issue

The Information Systems Audit and Control Association (ISACA) Global
Cybersecurity Status Report 2015 surveyed around 3 400 ISACA members in 129
countries worldwide and reported that 83% of respondents considered
cyberattacks to be among the top three threats facing organisations across
the globe today.

Closer to home, Grant Thornton's International Business Report (IBR) on
cyber security revealed that one out of every 10 South African private
sector businesses have experienced a cyber-attack in the past year, as
compared to a global average of 15%.

As these prominent security breaches and hacks become more commonplace,
businesses are putting themselves at risk if they lack a thorough strategy
to prevent, detect and control cybercrime. It's clear from the IBR that
cyber-attacks have a direct effect on the bottom line but despite the
undeniable risks, almost 45% of respondent executives in South Africa
revealed that they had no security strategy in place to address potential
cyber threats.

Addressing the issue of cyber security within the organisation

When it comes to security control, there are essentially three aspects that
need to be addressed. First, defining what needs to be controlled, then
monitoring for adoption and compliance, and thereafter implementing a
consequence for non-compliance with control methodologies. All too often,
one of the three aspects is overlooked or underplayed, which reduces the
effectiveness of cyber security measures in the business. Addressing cyber
security effectively requires acknowledgment of the fact that it's about
more than just technology; it's about managing people and risk.

> From an IT perspective, it is the CIO's responsibility to protect the
business infrastructure and data from falling into the wrong hands; this
includes business data, customer data and employee data. The biggest
challenge for organisations lies in managing mobile workers and mobile
devices, especially when it comes to providing the controls to protect the
company itself without affecting employee productivity.

While organisations cannot control personally owned devices, they can offer
a number of technology options to enable workers to do their jobs, which
might involve checking mail, browsing the Internet or logging onto company
applications. Control can be applied at a gateway level, only allowing
people to connect if they have anti-virus software, or if they're able to
authenticate their identity. This is also where other technologies like
email, phishing, ransomware and the like, come into play.

Cyber security is a shared business responsibility

Beyond this point cyber security becomes the realm of the CEO (as specified
in the Protection of Personal Information Act) and it is a responsibility
that is shared with the employee. Even though it is an IT task to enable
employees to do their job it is also incumbent on the employee to realise
that there are risks attached to their actions, for which they must be
accountable.

This is where the CEO must shoulder responsibility for the enforcement of
risk and compliance type controls, because, unless the business oversees
the implementation of these controls, IT will merely be providing the
technology without the authority to ensure that employees are heeding these
controls.

As the CEO holds authority over the main resources of the organisation –
the employees – this individual is responsible for ensuring that the
workforce adopts and abides by the selected security measures and policies,
through the appropriate channels of employee awareness and education.

To be effective it's critical that all aspects of the business align on the
issue of cyber security – from the CEO to the CIO and through to employees,
particularly with POPI coming into effect imminently.

Technology alone is not sufficient to keep businesses safe, and all
stakeholders in the business need to be involved in addressing cyber
security concerns, both in the boardroom and inside the IT department. It
will require management teams to push cyber security strategies to increase
staff awareness, and for the business to have policies and procedures in
place to deal with cyber threats as they arise, from all angles.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.