Convincing the Board to stay one step ahead of cybersecurity

When senior management teams and boards review cybersecurity in their organisations today, what do they see?

Do they see the increasing requests for equipment, software, staff and budgets and think, “I thought we were already protected – why do we need yet more investment?”

Or do they see the ever-growing breadth and depth of attacks and the sheer determination of attackers to disrupt and steal from their business, and ask what else can we, or should we, be doing to stay one step ahead?

If you’re in the IT team, you already know that cybersecurity is a never-ending battle that requires continual investment. At a board level though, while they may not have the same view, we have seen within our client base a marked increase in board-level awareness and ownership of cybersecurity.

High profile data breaches such as Yahoo’s in 2016 have helped drive this increase in awareness, but the recent passing of the Government’s Privacy Amendment (Notifiable Data Breaches) Bill 2016 into law has made it crystal clear. This legislation requires all businesses over $3m in revenue to

• report any breaches or compromised personal data to the Privacy Commissioner; and
• notify affected customers as soon as they become aware of a breach.

However, being aware of cybersecurity and knowing what to do about it are two very different things.

In fact, for senior management teams and boards, there is a growing concern that a level of cyber complacency is starting to set in where 80% of companies surveyed in the ASX 100 Cyber Health Check¹ late in 2016, felt they are doing enough to protect themselves against cyber threats. This is despite the fact that 4 out of every 5 respondents expect cybersecurity issues to worsen.

When we look at our clients, we’ve seen a lot of investment over recent years in perimeter-based security, which is traditionally where the perceived weakness is – so boards may feel justified in their level of cybersecurity readiness. However, with the advent of Cloud, mobile and distributed application architectures, the concept of a perimeter has become very blurred and hard to define.

In the just released 2017 Internet Security Threat Report from Symantec², they discuss that “new sophistication and innovation marked seismic shifts in the focus of attacks”, and “cyber criminals caused unprecedented levels of disruption with relatively simple IT tools and Cloud services.”

As a result, they have seen the highest rate of malware in emails in 5 years with an estimated 1 in 131 emails containing malware. In addition, Business Email Compromise (BEC) scams relying on spear-phishing emails are targeting over 400 businesses every day.

2016 also saw the first major attacks on IoT devices with the emergence of Mirai – a botnet composed of IoT devices such as routers and security cameras that was big enough to carry out the largest DDoS attack ever seen.

Today’s networks have many more points of vulnerability than ever – and that’s before taking into account attacks based on compromised credentials which require a completely different approach.

Cyber complacency is dangerous for every business.

The key takeaway is that cyber complacency is dangerous for every business. At the same time, it’s difficult for a business to continually invest in more staff, training and equipment to avoid drowning in alerts, logs, patches and processes. At some point, a business needs to find a way to better leverage their cybersecurity investments to get the protection and the scalable return they need.

One answer for the board and senior management may be that businesses need to stop trying to do it all themselves.

This doesn’t mean completely outsourcing cybersecurity, but looking at your internal capabilities and augmenting your internal teams with a service that can scale and take the bulk of the load. This is especially true for monitoring and alerts – getting the help that will enable your team to respond to a breach in real time and take immediate action.

If you look at the Data^#3 Managed Security Service, we partner with Symantec to augment our service for this exact reason – they have a scale and capability that just cannot be matched by any internal IT team.

In their own words:

“Symantec has established the largest civilian threat collection network in the world, and one of the most comprehensive collections of cybersecurity threat intelligence through the Symantec Global Intelligence Network™. The Symantec Global Intelligence Network tracks over 700,000 global adversaries and records events from 98 million attack sensors worldwide. This network monitors threat activities in over 157 countries and territories.“ ²

A managed security service is still only one piece of the cybersecurity puzzle. However, with this specialised team helping you keep watch over your network, you can use your valuable internal security resources to continue the fight to stay one step ahead.

For more information contact Data^#3.

1. http://www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf
2. https://www.symantec.com/security-center/threat-report