The C-level is becoming more active in cybersecurity


By Thomas King, Head of Cyber Security Products, Telstra
Friday, 12 October, 2018


The C-level is becoming more active in cybersecurity

C-level executives are in a prime position to promote a unified approach to cybersecurity and drive awareness and adoption throughout their organisations.

C-level executives are no strangers to risk. They make important business decisions regarding financial and regulatory risk every day, and increasingly they have to do the same with cybersecurity risk.

Cyber risks are frequent and the damage caused to organisations in the event of a breach are highly detrimental. The Cisco 2018 Annual Cybersecurity Report suggests 53% of attacks now result in damages of $500,000 or more, while 8% of attacks resulted in damages in excess of $5 million.

Given the increasing likelihood of being affected by a breach, as well as the legal requirement for businesses to publicly disclose any loss of data, security is now an organisation-wide concern.

The good news is that executives are continuing to take a more active role in cybersecurity by understanding the importance of security initiatives, increasing their involvement in these initiatives and shouldering more responsibility for security incidents when they occur.

A team effort

The Telstra Security Report 2018 discovered the IT department is still seen as the main business unit that leads cybersecurity initiatives, with 40% of respondents believing the IT team are primarily responsible in the event of a breach.

However, the same research found a high number of respondents placing attribution of responsibility on the shoulders of the C-level of businesses — 20% of respondents surveyed held the CIO accountable for a breach, while 19% pointed to the CEO.

This trend is likely because employees expect leaders to take responsibility for issues that impact the bottom line in the way an unexpected breach can. But in an environment where a stolen device or single misguided response to a suspicious email from any employee could spell disaster, organisations need to take a unified approach to cybersecurity.

As the report outlines, more Australian organisations are putting in place an incident response plan (76% in 2018 versus 66% in 2016). They are also testing and reviewing their plans more frequently. This has resulted in improved response times in the event of a security breach.

The frequency of security reporting in Australia is also on the rise — 37% of organisations surveyed in the report are recording their security activities on a quarterly basis, with 29% submitting reports monthly. These figures are shining examples of comprehensive initiatives in practice and underscore the positive role executives can play in the development of security solutions.

These programs deliver tangible results and enable businesses to be proactive in their fight against cybercrime. Yet they require a commitment at the C-level because the deployment and execution of incident response plans demands investment, leadership from the top and effective staff training.

A helping hand

Having the appropriate solutions and policies in place is important, but there is a critical human element that needs to accompany the overall process. Basic training designed to drive awareness and equip employees with the ability to spot suspicious behaviour can be the difference between a secure organisation and a hefty fine and damaged reputation.

A lot of attacks could be preventable if employees are trained in cybersecurity best practice. The Office of the Australian Information Commissioner (OAIC) publishes quarterly statistical information notifications received under the Notifiable Data Breaches (NDB) scheme. Its recent July 2018 report identified human error as the major source (36%) of reported breaches.

A large quantity of malicious attack comes back to this idea of human error. Staff can be prone to making mistakes, accidently clicking on phishing emails or disclosing passwords. Figures like those published in the OAIC report point to the fundamental role awareness plays in an organisation’s cybersecurity defences.

This is because employees are the critical first line of defence against attack. Employees should be informed on how to identify potential breaches like email phishing campaigns, and organisations should have specially devised playbooks to deploy in the event of a crisis.

Executives need to create organisational buy-in by championing tailored contingency plans and long-term security education programs.

C-level executives are in a prime position to help alleviate some of the pressures of the IT department, by empowering their work-force to become a formidable first line of defence.

Regular training for staff and consultation with skilled security partners can help a company dramatically reduce any chance of a major breach. Formal and consistent end-user preparation at all levels of the business can ensure employees know how to handle sensitive data appropriately.

As modern workplaces take advantage of cloud technologies and increase their collaboration with third parties, leaders should prioritise a unified approach to cybersecurity to drive awareness and adoption throughout their organisations.

Image credit: ©stock.adobe.com/au/3dmentat

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Nation-state actors have their sights on the cloud

Prioritising the protection of credentials and adopting robust security measures can better...

Combating financial crime with AI

Rapid digital transformation across Australia and New Zealand has provided cybercriminals with...

Learning from the LockBit takedown

An international taskforce has seized the darknet sites run by LockBit, but relying on law...


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd