From malware and ransomware through to internal espionage and onto state-sponsored hacking, businesses face cybersecurity threats across a broad range of vectors. As the appointed guardians of enterprise IT, how can CIOs help ensure great information security in a digital age? ZDNet gets best-practice advice from five experts.
1. Put the right policies and patches in place
David Walliker, who is CIO at both Liverpool Women's NHS Foundation Trust and the Royal Liverpool and Broadgreen University Hospital NHS Trust, recognises that protecting patient information is a number one priority for technology professionals in the healthcare sector. "It's all about doing your job properly — I'm quite clear on this," he says.
Walliker says it's easy to blame misguided individuals who click on suspicious links, but senior managers must also understand their roles and responsibilities. He says some NHS organisations have been slow to recognise the importance of policies and procedures. By taking proactive steps, his organisation is aiming to ensure the impact of incidents like WannaCry, which cost the NHS almost £100m, are limited.
"If people had patched their servers and firewalls in the first place, it wouldn't have happened. WannaCry wasn't a cyberattack — it was a cyber incident that was the result of some people not doing their jobs properly. That's why one of the things we're majoring on right now at the Women's Hospital is cybersecurity," says Walliker.
"We're one of a handful of Trusts to have received the full Cyber Essentials accreditation. For me, it's important to be able to say to your patients that — if we do want to do things like open access and put health records on devices — that they know they can trust us to look after their information when it's in transit."
2. Place a strong emphasis on education
Sarah Flannigan says she learnt a huge amount about cybersecurity by being CIO at EDF Energy, a role she left late last year. Part of her responsibility at EDF was ensuring the safe operation of critical UK national infrastructure.
"That takes everything to a whole new level in terms of information security," she says. "Even when you're working with other organisations at a state-to-state and hyper-sensitive context, the same truth applies — and that is your weakest link is actually your staff. It's all about education; information security is everyone's business."
SEE: 10 tips for new cybersecurity pros (free PDF)
For CIOs looking to strengthen those links, Flannigan says staff training plays a critical role. IT leaders have long-championed the benefits that come from testing internal security procedures. Flannigan encourages tech leaders to explore all potential avenues when it comes to preventing attacks through popular techniques such as phishing.
"Running regular, internal tests to see how your staff respond, and then publishing the results to executives about how many people clicked on a link, can really help. While people don't like being trapped, it really focuses the mind and teaches people a valuable lesson. Enterprise-wide education is key, whatever the context," says Flannigan.
3. Keep an eye on your suppliers
Andy Kravitz, head of fraud systems and controls at Lloyds Banking Group, says there is significant onus on IT leaders to explore the options — both in terms of technology and culture — when it comes to establishing effective information security.
"There's a lot you can do," he says. "That can be around implementing technical controls, or it could be about briefing your colleagues. So, telling them not to open email from outside the firewall that includes attachments, or being really aware of the risks to look for."
Kravitz — who spoke at a recent RSA security event on managing risk in London — says CIOs should also keep an eye on their suppliers. While data security is often seen as an internal issue, the connected nature of business in the digital age means external cybersecurity matters more than ever before.
"Just because you've got your four walls locked down, you might still be giving a good proportion of your data to a third-party company that is hosting your services or holding your customer information," says Kravitz. "It's crucial to recognise that your data is just as attackable when it's with a vendor as it is when you're holding it within your four walls."
4. Use automation to help manage regulatory requirements
Neira Jones, partner at Global Cyber Alliance, which is an international, cross-sector effort dedicated to eradicating cyber risk, says she feels sorry for executives trying to maintain information security because the regulatory environment is complex. She points to governance across finance and payments, suggesting there's 15-plus regulations that firms in the sector are supposed to comply with.
"That's really tough," says Jones, who has previously worked in executive roles for firms including Barclaycard and Santander. "The key is to look at all those regulations within the context of fraud prevention and cybersecurity. Look at that legislation in a holistic way and recognise that all these regulations touch on very similar things."
SEE: IT pro's guide to GDPR compliance (free PDF)
Jones suggests CIOs should take advantage of the convergence that has taken place during the past few years in terms of fraud prevention and cybersecurity. "They're now two sides of the same coin; you need to realise the economies of scale in that respect," she says.
"You can't comply with all these regulations manually, both in terms of traditional and emerging technology, such as machine learning and artificial intelligence. So, automation will be key — look for new tools. Focus on toughness in terms of compliance and data protection."
5. Accept you're going to get hacked anyway
Andrew Gould, detective superintendent and national cybercrime programme lead at the National Police Chiefs' Council, says it's still concerning how many organisations fail to cover the basics. Like other experts, he says password policies and patching remain crucial, even if these requirements are difficult and sometimes disrupt day-to-day business operations.
"If that patching solves 80 percent of your problems, then that has to be a massive focus," says Gould. Yet patching shouldn't be the only focus when it comes to technology. While CIOs must work to keep people out, they must ensure their business can recover when the unthinkable does happen.
"Accept that you're going to face an incident or issue — what absolutely cannot fail in those circumstances are your backups," says Gould. "Time and again we see people haven't backed up or, if they have backed up, they haven't tested it — and when they press the button to get their data back, nothing happens. In many ways, backup has to be your number one priority."
PREVIOUS AND RELATED COVERAGE
As companies are engulfed by change, maybe techies can help staff make sense of it all.
What does a CIO do and how do they relate to the CTO and CDO? Everything you need to know about the role of the CIO.
Storage automation and big data helps Mercedes F1 make better decisions, faster.
As 5G technology gains momentum, CIOs and business leaders need to prepare for the opportunities -- and the potential fallout.
4 ways your company can avoid a data breach (TechRepublic)
Only one in three organizations say they are confident they can prevent data breaches, according to Balbix.
A group linked to Russian government agencies targeted more than 100 people researching electoral integrity and public policy.