In a recent report, auditing giant KPMG identified the five most common mistakes managers make when trying to secure their organizations’ IT networks against cybercriminals.
The report asserts that company executives should exhibit leadership in cybersecurity with regard to allocating resources, governance and decision-making, as well as building an organizational culture in which everyone is aware of his or her responsibilities.
“Cybersecurity is a challenge for the leadership of many organizations. This, however, cannot be an excuse to divest responsibility to the ‘experts,’ ” said John Hermans, cybersecurity lead partner for KPMG.
Leaving the protection of IT networks to a specialized department of experts is just one of the main mistakes KPMG highlighted in its report. The other most common mistakes are insisting on total security, relying on cyberdefense tools, trying to beat the attackers and aiming to just comply with cybersecurity regulations.
Shooting for 100 Percent Security
Every large well-known organization will have information stolen and, possibly, made public, KPMG said. Coming to the realization that 100 percent protection against cybercrime is neither a feasible nor an appropriate goal is an important step toward a more effective policy, the report said, because it allows executives to make choices about defending against attacks.
A good defense is based on understanding organizational vulnerability, establishing mechanisms to detect an imminent or actual breach, and immediately confronting intruders to minimize loss, KPMG said.
In practice, the emphasis is often skewed toward prevention. “Once you understand that perfect security is an illusion and that cybersecurity is ‘business as usual,’ however, you also understand immediately that more emphasis must be placed on response,” the report explained.
Feeling Safe Behind Technology
Effective cybersecurity depends less on technology than leaders may think, KPMG said.
The cybersecurity industry is rife with specialist suppliers that sell technical tools, some of which are essential for basic security, but, according to the report, “they are not the basis of a holistic and robust cybersecurity policy and strategy.”
A company’s IT department should employ a robust cyber defense, but employees’ awareness of how they can affect cybersecurity is critical. “The human factor is and remains, for both IT professionals and the end user, the weakest link in relation to security.”
Cyberdefense tools will be effective only if people understand how to keep their networks safe. One of the most persistent risks companies face is when hackers manipulate employees to gain access to systems.
“This is often about changing the culture so that employees are alert to the risks and proactive in raising these with supervisors,” KPMG said.
Outgunning the Attackers
An organization’s cybersecurity policy should prioritize investment into understanding the value of information assets and the implication of any loss on the core business, rather than try to cover all risks, since it’s impossible to cover all assets all the time, the report authors said.
“In short, managers should be aware of the latest techniques but should not let this distract them from protecting their most important assets,” KPMG said.
Managers should ask:
- Do we know to whom we are attractive and why?
- Do we know what risks we are willing to take?
- Do we have insight into which systems store our key assets?
Effective cybersecurity policy and strategy should be based on continual learning and improvement, not solely on monitoring compliance, according to KPMG.
The report suggested that organizations:
- Understand how threats evolve and how to anticipate them. This goes beyond monitoring infrastructure, the authors said. “It’s about smart analysis of external and internal patterns in order to understand the reality of the threat and the short, medium and long-term risk implications.”
- Evaluate incidents in a way that allows lessons to be learned. “In practice, actions are driven by real-time incidents and often are not recorded or evaluated. This destroys the ability of the organization to learn and put better security arrangements in place in the future.”
- Use monitoring effectively. In many cases businesses have excellent monitoring capabilities, but the findings are not shared with the wider organization, the report said. And monitoring needs an intelligence component. Only if executives are certain of what they want to look out for does monitoring become an effective tool to detect attacks, the report said.
- Develop a method for assessing and reporting cyberthreats. This process should contain protocols to determine risk levels and escalations, and methods for communicating to the board of directors (if the company has one) about the impacts to the core business.
Calling in the Experts
Cybersecurity should be viewed as an attitude, instead of a department of specialist professionals, the report said. Putting the onus on one department may result in a false sense of security, according to KPMG, and foster a lack of responsibility in the rest of the company.
The report suggested that businesses make cybersecurity part of HR policy and, in some cases, link it to compensation. “It also means that cybersecurity should have a central place when developing new IT systems, and not, as is often the case, be given attention only at the end of such projects.”
What to Do Next
To determine your organization’s risk profile, KPMG suggests asking the following questions:
- Which processes and/or systems represent the greatest assets from a cybersecurity perspective?
- How much risk are we willing to take in relation to these processes and/or systems?
- How dependent is the organization on services from partners and suppliers, and how integrated are the corresponding IT processes?
- Do our partners have the same risk appetite and cybersecurity measures as we do?
- Have we developed a clear business case for our cybersecurity investments?
Depending on what kind of risk profile your organization develops, your cybersecurity budget should probably be 3 percent to 5 percent of your total IT budget, KPMG said. The report cautioned that a significant part of such a budget is often spent on implementing technological solutions and solving past problems.
“Ensuring your funds are spent appropriately on future system solutions is only part of the answer, however. Without good governance, proper cybersecurity processes and, of course, the appropriate culture and behaviors, these technological solutions will not prove their money’s worth.”
Roy Maurer is an online editor/manager for SHRM.
Follow him on Twitter @SHRMRoy.
Protect Your Business from Cyberthreats, SHRM Online Safety & Security, December 2012
Cybercrime 2012: Malware Threatens Social Media, Cloud Services, SHRM Online Safety & Security, December 2012
Employer Beware: Spyware Comes to Mobile, SHRM Online Technology, December 2012
Company Data Endangered by Lack of BYOD Security, SHRM Online Safety & Security, August 2012
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news