All too often, it takes a significant incident for business leadership to cover focus on cyber issues, in accordance with a government-commissioned study of victims
- Alex Scroxton,Security Editor
Published: 18 Aug 2022 13: 06
Business leaders over the UK are, more often than not, failing to take into account cyber risk of security, and only appear to appreciate the necessity to have appropriate protections set up in the wake of a significant incident, in accordance with a whitepaper made by the Department for Digital, Culture, Media and Sport (DCMS).
The DCMS interviewed IT leaders, including CISOs, at multiple anonymous organisations that had experienced a cyber attack or data breach, and discovered that while many of them agreed there is a dependence on increased investment in security, & most considered themselves better prepared than everybody else, in addition they said there have been varying degrees of support for, and fascination with, security from other leadership teams.
Some said business leadership did grasp the significance of security and were supportive of it, in addition they expressed doubt that boards understood the scale of the threat, or the cultural transition had a need to meet it.
Therefore, the paper said, for most IT leaders, cyber incidents actually had a somewhat positive outcome for the reason that they demonstrated that the threats are real, underscored the significance of security, and managed to get easier to allow them to make the case for investment having an engaged, albeit somewhat frightened, board.
One respondent, the CSO of a logistics, manufacturing and e-commerce platform provider, experienced a significant distributed denial-of-service (DDoS) attack via the firms third-party hosting services provider on the evening of 3 July 2021, minutes after kick-off in Englands European Championships quarter-final match against Ukraine.
Despite a stressful handful of hours for the firms IT teams, the attack was contained, and services were back ready to go in relatively short order, even though business took a 500,000 hit in lost sales.
Post-breach, the CSO said the business enterprise has embarked on a more impressive procedure for transformation and contains implemented threat tracking and security testing, made to mitigate eight identified cyber risks to the business enterprise.
The CSO said: I’d say prior to the breach I had 100% support of the board and post-breach it had been 110% support. I’d say that one helped accelerate the delivery of plenty of components of my programme.
Another respondent, an IT manager at a wholesale and retail business, experienced a cyber attack in November 2021 which saw the organisations Microsoft Exchange server compromised and hijacked to distribute spear-phishing emails to the companys contacts.
The firm only became alert to the incident when people began to contact it in reaction to these emails, and the IT manager described an interval of ensuing well-hidden panic because an external IT consultant the business had used was unavailable, meaning the firm had to cope with it itself.
The attackers were subsequently in a position to return and repeat the attack, culminating in the discovery that the firm have been breached months before with a compromised patch.
Ultimately, the business was forced to rebuild a lot of its IT infrastructure from the bottom up, with significant downtime and business impact because of this, including lost customers, lost revenues, and substantial reputational damage.
However, the IT manager said there had been positives, notably a big change in culture: Before, I was the person who managed to get difficult to accomplish things, that i think is standard, however now people know very well what they are spending money on.
A third respondent, a security operations centre head (HSOC) at a big private sector organisation with over 150,000 employees in the united kingdom was hit by way of a similar attack in early 2021, when its brand was hijacked in a smishing campaign that redirected its customers to compromised websites.
Before the incident, the HSOC said the organisation had viewed cyber security as a board-level business problem since it involved financial, operational, strategic and customer risk also, this organisation operates in an extremely regulated sector, so its compliance regime is normally good.
The HSOC told the DCMS interviewer that the incident had ultimately proved beneficial because regardless of the boards rigorous method of cyber, it certainly highlighted the significance of security to leadership.
During the past, the challenge for all of us is that people were partly a victim of our very own success once we were so excellent at protection, we never really had a significant incident, so we never really had evidence of the significance of cyber security, the HSOC said.
Tessian CEO Tim Sadler said though it was positive that businesses were taking steps to strengthen their defences after attacks occurred, this is too often inadequate, too late.
Business leaders have to pay attention to their security teams to comprehend the ways they are able to proactively protect their organisation before an expensive breach occurs, he said. A recently available Tessian report revealed that 58% of employees think senior execs at their company value cyber security a statistic that should be dramatically reduced.
A top-down and collaborative method of strengthening defences and building robust security cultures is indeed vital that you ensure everyone understands the role they play in protecting the organisation from cyber attacks.
Sadler added: A whats the worst which could happen? mentality is risky with regards to cyber security, particularly when you take into account that three in four businesses have observed a security incident within the last 12 months.
Read more onto it risk management
Consumers overlooked of pocket as security costs soar
UKs Labour Party hit by third-party data breach
Questions raised by New Zealand central bank boss, following cyber attack investigation
New Zealand central bank IT system breached in cyber attack