Shift from Regulation-led to Culturally-embedded Cyber Security
We are at high risk of being immune to security breaches. With new security infringements grabbing the headlines on almost a daily basis, time and again one hears IT Directors and departments resignedly admit that a security breach is a matter of when, not if. At the same time, regulation is increasing with the risk of financial penalties due to non-compliance – the GDPR is an example.
The brutal reality is that the efforts of the cyber criminals in breaching organisations is fast outpacing the security measures that businesses are able to put into place in their enterprise. Organisations need to get smarter in utilising their resources to protect their business. There needs to be a shift in mindset – from a regulation-driven approach to one where security is embedded into the culture of organisations. This in turn demands that security becomes part of the DNA where people, technology and processes come together to create a robust defence for the business.
This kind of holistic approach is more important than ever before. Cyber criminals have evolved their efforts. Increasingly, they aren’t merely focussed on stealing business data for financial gain, they are now furtively manipulating data. The 2016 breach of the World Anti-Doping Agency, where the hackers manipulated and released the personal data of famous athletes is perhaps the most high-profile example. This kind of breach is even more dangerous as it can impact the validity and accuracy of strategic decision making by enterprises, affecting their future business health and reputation.
Organisations need to be investing in proactive cyber security where the security and IT strategies are seamlessly aligned across the IT infrastructure and every level of the business – hardware, software, network and user. Rather than being driven by regulatory fears – for example, the role of Data Protection Officers is a direct response to the GDPR – organisations need to be looking ahead to evolve their security defences in a timely fashion – be that skills, technology, processes or even security training and education for users. For instance, there are Regional Cyber Crime units that offer industry cyber security awareness training. From a technology and process standpoint, new concepts such as ‘need to know’ security, content segregation and ethical walls at scale are good approaches to help overcome some of the security challenges faced today.