Cybersecurity – the top 5 considerations for CEO’s
Cybersecurity has been top-of-mind for every single IT department across the country in recent times. Over the past two years, the spate of cybercrime has surged, and many South African organisations have been left reeling in the aftermath.
The recent PWC Global Economic Crime and Fraud Survey says that over a quarter of South African respondents believe that cybercrime will be the most disruptive, impactful crime faced over the next two years, and that cyber-attacks have become so inescapable that it’s becoming more strategically important to identify the mechanisms used by cybercriminals than to measure occurrences and impact.
This is a bold statement, as it highlights that adopting a proactive approach to cybersecurity must be seen as a business priority, today. However, many organisations are so indelibly focused on their digital transformation strategies and disrupting the market that, despite its looming presence in the IT world, many executives and CEOs remain unaware of the steps necessary to protect their digital initiatives and underpin their success.
1. Are you building your digital strategy on an insecure foundation?
Cybersecurity is fundamental to any digital transformation strategy. Without a secure base on which to build and interlinked security measures deployed across every platform, digital transformation strategies will crumble under the barrage of attacks expected to lambast businesses as they deploy more technologies. The onset of a connected world may hark an era of uninterrupted, always-on and customer centric business, however it also provides myriad more ways for cyber-criminals to gain a foothold into business’s networks.
According to a recent survey conducted by Cisco, 69 percent of surveyed executives indicated that their organisations are reluctant to innovate in areas such as digital services because of the perceived cybersecurity risks. However, its increasingly apparent that businesses need to digitally transform to remain relevant and innovative. The traditional premise of IT, cybersecurity has evolved as an enabler of digital business growth, and should be a boardroom concern, addressed by every stakeholder and driven by business executives.
2. Your data isn’t where you think it is
As a CEO or business executive, can you say – with confidence and certainty – that you know exactly where all of your business data is, right now? Do you know who is looking after it or accessing it? Is it safe, or do you just think it is? These are all very important questions that every CEO and business executive needs to know the answer to. If you don’t, your data may be exposed to cybercrime.
Data perimeters have shifted, and the advent of cloud means that your business-critical data may reside across a number of locations, from your server on site, to various cloud locations, to an administrator’s USB drive or a salesperson’s mobile device. Shadow data, or data that employees access using unauthorised applications on their mobile device, or simply by taking work home with them on a flash drive, has become a critical area of concern that requires strict controls and awareness.
To protect your business, it’s imperative to take cognisance of the threats that exist so you have a better understanding of the complexities of securing a hybrid data environment. A business’ security controls must align with business processes, so that the movement, storage, accessing and dissemination of data remains secure, no matter what new technologies are introduced or which direction your digital transformation strategy takes.
3. Even the best security controls are ineffective without the skills to use them
It’s one thing to understand that you need cybersecurity controls and technology, but a completely different thing to have the right skills to keep pace with the changing cybercrime landscape and gain the optimal value from the controls and technologies your business employs.
Integrate Immigration lists IT security skills as a critical skills shortage in South Africa, promoting it as an area where immigrants are in demand to fill gaps. Unfortunately, the skills required to manage a cybersecurity environment surpass traditional IT or security skills. Whether you elect to outsource, or employ in-house cybersecurity skills, they need to incorporate a level of data science, an in-depth knowledge of the cyberthreat landscape, knowledge of the security tools needed across various platforms, and the controls needed to ensure they work.
It’s also becoming increasingly important to embrace social media and the dark web as valuable sources of information with which to build a threat profile for your business, and understand what skills you require to employ the next generation security tools that keep it secure.
4. Don’t treat security like a grudge purchase
As a CEO or business head, you understand that security is a necessary requirement, however you may not know what you need to spend on it or how to build a cybersecurity budget that works for your business’ needs. With cybercrime having affected more than thirty two percent of South African organisations over the past year, businesses can no longer afford to wait until they are affected themselves, before acting.
The impact of a security breach extends beyond data loss – it affects a business’ reputation, customer service delivery and bottom line. A robust cybersecurity strategy not only protects your business, it adds value to the customers who entrust you with their data.
It’s important to ensure your security budget is in line with the maturity level of your business as well as the maturity level expected by the industry you operate in. You need to work hand in hand with your cybersecurity provider and IT team to understand the threats that exist for your industry, and build a security strategy, complete with supporting technologies and controls, that will ensure your business is secure.
5. Would you do business with company that’s not secured?
This is a question your customers are asking of you.
We recently conducted a cybersecurity audit at a large dairy producer, who were astounded to discover how many shadow applications and unauthorized programmes were being used within their organization, outside of their security controls. The risk of threat posed by those applications and programmes, as well as the threat of data loss, was immensely high, and top-level executives – some of whom were using their own unauthorized applications – were unaware. More importantly, the people responsible for the business’ cybersecurity were unaware.
Doing a credit check on partners is something a business doesn’t think twice about, yet we don’t concern ourselves with checking if our partners are secure, and if they are keeping our data safe. By doing a security check on your own business, establishing the weakness and addressing them, you can show your customers, partners and the world at large, that you take security seriously, and that you demonstrate accountability and responsibility for the data that resides with you.
Cybersecurity is a differentiator, and not just something you do on the back end. Customers want to engage with businesses they trust and who take their data seriously.
Paul Jolliffe, Lead DSM: Security at T-Systems South Africa