The boards and executives of companies are meant to be good at balancing risk and oppportunity; so why do so many have a massive blind-spot when it comes to computer security?
High-profile hacking incidents and security breaches continue and despite the arrival of GDPR data protection rules in May aimed at prodding European organisations into improving security at the risk of large fines, many organisations still aren't getting cyber security right or don't understand what they're supposed to act on.
That's something the UK's National Cyber Security Centre (NCSC) is looking to change.
"Cyber security is now a mainstream business risk. So corporate leaders need to understand what threats are out there, and what the most effective ways are of managing the risks," Ciaran Martin, chief executive of the NCSC, said recently.
"But to have the plain English, business-focused discussions at board level, board members need to get a little bit technical. They need to understand cyber risk in the same way they understand financial risk, or health and safety risk."
But many board-level executives seemingly still don't understand cyber security risks, even if they are more likely to be spending more on IT security than they did previously. And that's even after the WannaCry ransomware attack and the NotPetya malware outbreak, both of which caused vast damage and clean-up cost to organisations around the world hit by the malware.
So why do the upper echelons of many organisations still not understand the risks they face or know what they should be doing to counter them?
One issue is that within many organisations, cyber security is still viewed as an issue for the IT department, rather than the business as a whole.
"It's been very much seen as an IT problem because some of the requirements to prevent cyber attacks require technical mechanisms and procedures to be put in place, so boards think the tech team will take care of it," says Sarah Pearce, partner in the privacy and cyber security practice at international law firm Paul Hastings.
It's somewhat understandable as to why those who aren't fully technically literate might think that the guys who fix the computers should be held responsible for cyber security. But more often than not, attackers aren't going after IT, they're targeting finance, HR and other parts of the organisation which hold valuable data -- and users who might not be up to speed with cyber security issues.
"Now it does go to every single part of an organisation and I think there's now more of recognition of that," Pearce says.
"But there's been no or very little allocation of responsibility and it actually needs to be driven from a centralised, senior level so that all of the various divisions of the business are engaged and that hasn't been coordinated -- and in some businesses, that's still not the case," she adds.
The NCSC released a list of five questions organisations should be asking in order to help boost their security. But while a question like 'How do we defend our organisation against phishing attacks?' might sound relatively simple to those in the know, there's who aren't so familiar with the language of security might struggle to get to grips with the challenge.
"The technical landscape changes on an almost daily basis, so even just simple things like the first of the five questions -- how do we defend our organisation against phishing attacks -- there's three operative topics in that sentence," says Chris O'Brien, director of intelligence operations at threat intelligence firm EclecticIQ.
"What is a phishing attack? You need an understanding what that actually is. How do we defend against it? That's the technical and organisational changes you need to make. And the organisation -- some organisations don't have a full understanding of where their organisation ends, what they're responsible for."
It's also not a good strategy to force the IT department to come up with all the answers which affect the whole organisation; instead the c-suite needs to be able to understand and answer these cyber security issues -- and drive strategy forward based on what they find.
"From an organisational perspective, IT can't be responsible for a lot of that detail, that has to be owned at the board level," says O'Brien.
The board needs to have a grasp on both business risk intelligence and cyber threat intelligence to the extent that they're aware of the potential threats to the organisation and the weak entry points which could be used by attackers to get into the network. From there, they need to take decisions about budgeting and strategy which then can mean the IT department making plans for updating and improving software -- or bolstering its security -- in relation to the risk.
Nonetheless, in some instances, providing this level of information to the board might not be enough. Despite almost daily reports about attacks and breaches against organisations of all sizes, some just don't think they'll get it, that it won't happen to them.
A perceived lack of risk can mean budgets get spent elsewhere -- something which may come back to bite businesses later down the line once a breach takes place.
"Until people are in that situation, they think what they have is good enough -- that's the problem. Companies see it, read about it, they may even be personal victims of compromises at major chains. But they won't apply that to their business," says Rodney Joffe, senior vice president and fellow at security company Neustar.
It's likely that board members have been caught up in data breaches of other firms, perhaps having had their card details stolen in an attack against a hotel chain or a retailer. Rather than viewing that as an isolated incident and forgetting about it, they should take on board what has happened and apply it to their own organisation.
"Look at the damage that could cause. It's worth spending the money to do it right, but until it happens to you, you don't think about it," Joffe adds.
Executives also need to take what they learn about cyber security and filter it down through the organisation. It's all very well knowing about the dangers of a phishing email, but that information needs to be shared with staff across the business.
Departments like finance and HR will bear the brunt of opportunistic attempts to steal funds and data, and time and resources need to be put in to ensuring that these areas understand the threats they face.
"Think about the practicalities like the training of everyone and everyone's aware and alert about potential phishing emails, making sure that people know what that means," says Pearce.
"That does come down to resources because you have to put time and money in to make sure this is carried out -- I think this is where some have slipped up," she adds.
The NCSC's recommendations to organisations are a good springboard for executives to take a look at their cyber security strategy. It's unlikely cyber criminals can suddenly be stopped but there are basic things that organisations could -- and should -- be doing to ensure that if they're attacked, then they're as protected as possible.
READ MORE ON CYBER SECURITY
- This is how it feels to face a major cyber attack
- How CISOs can improve their communication with the board (TechRepublic)
- Phishing alert: North Korea's hacking attacks shows your email is still the weakest link
- How the Equifax hack happened, and what still needs to be done (CNET)
- How your company can measure its 'cyber resilience' and evaluate its posture