The role of IT has grown exponentially. As more functions, processes and data become digested in modern organisations, the threats from cyber-security (or lack of) have become more advanced and harder to fight against.
Cyber-security is no longer an issue of hobbyists writing simple computer viruses for entertainment. Nowadays, sophisticated criminal gangs are making millions from exploiting cyber-security weaknesses every day.
Threats are everywhere
The threats from these sophisticated external factors are further compounded by accidental or malicious release of information by internal staff. Understanding ‘the human firewall’ is a difficult task, as by their nature, internal users need access to sensitive data to do their jobs.
Any responsible organisation should want to minimise the ability of these users to accidentally or maliciously release this data. However, many organisations struggle to implement an effective process for managing the ‘insider threat.’
Moreover, with the upcoming introduction of GDPR legislation in May 2018, any organisation that does not take steps to mitigate the threats posed by internal factors, could be liable to significant fines (up to £20 million or 4% of global turnover – whichever is higher).
You can’t just start over
There are significant technical challenges. IT has “technical debt”, an investment that has been made into an IT system, that works well, and has been in place for years without upgrades. If a system works well, why would a company pay to fix it.
Whilst this makes sense from a financial and operational perspective, this technical debt now causes serious issues around patching vulnerable software. By trying to maintain system services, additional complexities in interdependences between systems and versions are created. These issues can be resolved, but will need substantial outlay to ensure that they can be maintained in a secure manner.
Effectively mitigating risks posed by modern cyber-security threats needs a considerable and consistent investment of time and resources, along with the authority to force unwilling persons or departments to adhere to the security standards and policies set within the organisation. Any serious effort to reduce cyber-security risks will need board level sponsorship, and management from senior levels within the organisation.
The risks are serious
Without senior management support, any risk reducing efforts by IT or other parts of the business, will result in only partial improvement of the organisation’s security posture. It is in the interest of senior management, as recent large-scale breaches have seen significant tangible and intangible damage inflicted on organisations (as Dido Harding, former CEO of TalkTalk knows all too well).
You can never completely eradicate the risks posed by cyber-security. The world has become too digitised and connected. You can, however take steps that will significantly reduce these risks and ensure the best possible protection for your organisation.
A full cyber-security audit, across people, process and technology is the best way to start. Once this is completed, you can then formulate a ‘defence in depth’ strategy to mitigate the myriad of security risks that face modern organisations.