Oops!… I Did It Again
We are all prone to making mistakes. But what are some of the more common mistakes that organizations make in the area of cybersecurity?
To find out, NetGain Systems had a conversation with Campbell Dullard, COO of CTRL Group, an Australian Information and Cybersecurity company providing a range of cybersecurity services to customers in Australia, New Zealand, and Singapore, including security risk assessments for some of the largest ASX-listed companies and government departments in Australia. Dullard shared with us some of the common cybersecurity mistakes they have encountered, and what businesses can do to avoid them.
TOO SLOW TO ACT
When it comes to cybersecurity, a lot of organizations tend to be reactive and only take action AFTER something has happened. Says Dullard, “It’s like not wanting to get health insurance until after you have broken a leg,” by which time it would be too late as the damage has already been done.
Obviously, the challenge for organizations is on deciding what type of “insurance” to take up. Many different cyber threats abound and new ones are constantly surfacing, and a limited budget only serves to make such decisions more difficult. We will look at how we can make an informed decision later, but for now, while acknowledging the impracticality of handling every possible threat, it is also obvious that having some protection is always better than having no protection.
ASSUMING IT IS IT’S RESPONSIBILITY
Cyber threats are threats to the IT system, and cybersecurity is all about protecting the IT system against such threats. However, the problems caused by cyber threats do not just affect IT systems, but can potentially impact the entire organization and business. This is especially so when IT is used extensively throughout an organization to support, enable, and also drive various aspects of the organization.
A disruption to an IT application may simply cause a disruption to that area of business relying on that IT application. But a security breach in one area of the IT system could have wide-ranging repercussions far beyond that affected area, affecting not just the organization but its business partners and customers.
“The problem here,” says Dullard, “is to treat cybersecurity as an IT issue to be managed within the IT budget. But when a cyber incident occurs, it could become a whole of business issue that the organization is not prepared for.” It may seem natural to think of cybersecurity as an IT responsibility as it has to do with technology, but if an organization is hacked and company secrets, funds, or confidential information are stolen, or if the organization is unable to access its technology and conduct business, then that is not an IT problem anymore, it is a business problem.
With our ever increasing reliance on IT, it becomes imperative that cybersecurity is seen as a business issue and managed as such, and not as an IT issue for IT to resolve. When you do so, “you are preparing properly for what one day could be a business problem,” says Dullard.
NO FOLLOW THROUGH
Many organizations realize the importance of cybersecurity, and often develop a plan or have a roadmap in place to achieve a certain level of security. The problem arises, however, when there is a failure to follow through with the plan. Or as Dullard puts it, “Sometimes plans are made with the right intentions, but as time goes on the business does not follow through on the plans previously made and approved.”
WHAT CAN BE DONE
According to Dullard, the biggest thing organizations can do is to be aware of its vulnerabilities. “Every company has some level of vulnerability,” he says, “and it is important that they have an understanding of what that vulnerability is.”
To do so, there are some things he suggests organizations do, including:
a. Monitoring of their IT systems and logging of their security information
b. Participating in regular penetration testing
c. Conducting a risk assessment against their business
By knowing their vulnerabilities and risk exposure, organizations can make informed decisions on the areas of cybersecurity to focus on. “Even if an organization does not attend to every vulnerability, having an awareness of its weaknesses will enable it to know what to do should those weaknesses be exploited.”
This leads us to the next thing Dullard suggests organizations do:
Have an incident response plan, and make sure you practice it regularly.
Such a plan would help mitigate any damage caused by security breaches and allow the organization to get back to “business as usual” as quickly as possible after a cyberattack. By practicing it regularly, you are not only ensuring staff know what to do in the event of a security incident, but you also have the opportunity to refine and adapt the plan to changes in the business, thus ensuring it stays up to date.
Of course, having a cybersecurity plan in place, whether it is to address vulnerabilities or an incident response plan to respond to security breaches, is all well and good, but we still need to overcome the danger of not seeing the plan through. Here, Dullard suggests that once a cybersecurity plan has been put in place, you should designate people to be responsible for the plan and its different aspects, just as you would for any area of business. Regular meetings, for example, once every 3 to 6 months, should be held by those responsible to track the different aspects of the plan and ensure it stays on track. “The exact same principles apply to this as they do to any other area of business. Every area of an organization is being worked on to some extent at any given time, and there are regular meetings to track and improve them,” says Dullard.
In other words, a cybersecurity plan should be treated no differently from any other business plan or strategy, and its execution should be no different from that of any other area of the business. When we begin to do so, we will finally begin to treat cybersecurity not as an IT issue for IT to resolve, but as a business issue that should be tracked and managed as you would any other area of the business.
CTRL Group works with NetGain Systems to keep it and its solutions secure, from R&D and throughout the product development lifecycle.