Today everything is connected, so cyber-security features high on leaders’ agendas and is a top priority in every boardroom around the world. Each business has its own web of connections, often stretching across the globe. It’s fantastic for people working together or making their organization more efficient, but it’s also fantastic for criminals.
Hacking is a lucrative business. Digital crime costs the world around $400 billion a year and often occurs in ways companies don’t even consider. It’s not just about data theft: one criminal organization intercepted medicines and sold them on the black market for £200 million, because they got access to the route information.
In our report with KPMG, Taking the offensive, we found that almost every business (97%) has experienced some kind of attack, but less than a quarter (22%) feel prepared. This comes as no surprise, as about half of businesses don’t have a strategy to deal with blackmail, bribery or even criminals posing as members of staff.
As the pace and variety of attacks increase, you need to keep ahead and there are four things you should be thinking about:
Is the board on board?
Security has to be on the board’s agenda. They need to be constantly thinking about the worst case scenario: what would happen if your information were stolen? How badly would your business be damaged if one individual were bribed or blackmailed? What are all the possible ways someone could attack? Board members with backgrounds in digital security and risk management can help the board, and even senior management, better understand the issues and more effectively communicate with the security team.
Other C-level roles will also need to evolve. The chief information security officer (CISO), for example, will need to be elevated from a traditional IT-focused role to one with direct accountability to the CEO and regular reporting to the board. Chief information officers (CIOs) will need to factor risk mitigation into every step the organization takes on its digital journey.
Is security part of your culture?
The board members can’t do everything themselves. You need to build security awareness into your organization’s culture by making it part of everyone’s role. Give them responsibility, and encourage them to speak up.
If everyone thinks about security, they’ll ask the right questions. For example, a recruiter can consider how much a planted employee could steal. They might then be proactive and help ensure you have the right vetting processes in place.
Have you separated your data?
I often tell people that they can’t avoid an attack. It’s going to happen eventually. You can do everything possible to recover what’s been stolen and catch the criminal, but eventually they’ll find that tiny hole and squeeze through.
The trick is to make sure you have layers between your systems. If your customer data is behind another wall, it’s safer. You want to make sure your most valuable information is hidden – even from your own employees. You don’t see bank vaults out on the street. They’re behind checkpoints, cameras and closed doors. Do the same with your data.
Have you read?
Do you have all the basics sorted?
It’s not just big things you need to focus on, there are plenty of small things you can do too. Start with making sure passwords are strong and long and ensuring that all the right policies are in place. Encryption should be used across the board and you need a response team ready to deal with attacks and minimize the damage. Spare a moment to think about whether your partners are keeping your data safe. Most importantly, think from a criminal’s perspective: try hacking back into your own business to identify vulnerabilities and then fix them.
Do all this and that’s how you’ll feel prepared.