Cybersecurity is everyone’s job within a business. But leadership starts from the top, writes Datapac’s Damien Mallon.
The importance of senior management involvement in an organisation’s cybersecurity posture and strategy cannot be overstated.
Cyber threats are more prevalent than ever before and they only continue to grow in sophistication, which makes cybersecurity a critical aspect of overall business strategy.
“By integrating cybersecurity into the broader business strategy, leaders can ensure that the organisation’s risk management framework adequately addresses cyber threats”
It’s a mistake to view cybersecurity as simply another aspect of IT to be cloistered away in the IT department – it needs careful consideration at senior management and leadership level, as it impacts all areas of the organisation.
Leadership involvement not only helps to foster a culture of cybersecurity awareness through leading by example, it also ensures that cybersecurity strategies are aligned with overall business objectives.
Cybersecurity at the boardroom level
Largely speaking, for the vast majority of small and medium-sized businesses (SMBs) or enterprises (SMEs) operating in the digital landscape, technology has become so intrinsically intertwined with the business that the two have become one; they can no longer be viewed in isolation.
This dependency means that any significant cyberattack, data breach, or other form of compromise will disrupt business operations, leading to financial loss, operational downtime, reputational impact, and regulatory concerns – all things that keep senior management awake at night.
When making smart investments to bolster cyber defences, organisations shouldn’t even consider cybersecurity as an IT expense – it’s a business-level investment in future success and stability.
The challenge with cybersecurity insurance
Meanwhile, cybersecurity insurance is very quickly becoming a non-negotiable for businesses that wish to remain competitive.
For example, in our experience, having cybersecurity insurance is a mandatory requirement of any organisation partaking in public procurement competitions. As cyberattacks continue to increase we’ve seen insurance premiums rise, and the criteria for attaining coverage at all becoming more and more stringent.
Insurers are increasingly demanding detailed assessments of an organisation’s security posture before they will even consider providing coverage. Some of the things insurers will look for include evidence of comprehensive security protocols, regular security audits, tested incident response plans, 24/7 managed detection and response, and employee training and awareness plans. What’s more, cybersecurity insurance policies can be notoriously complex and difficult to navigate, particularly for SMBs that may not have the in-house expertise.
As with every form of insurance, businesses need to provide complete and accurate information to their insurer when securing coverage under the doctrine of utmost good faith. Due to the complexities surrounding cybersecurity insurance, it’s a very real possibility that an organisation will fail to provide wholly accurate information, not out of any malicious intent, but simply due to lack of understanding.
Whatever the reason, in this scenario and when an organisation needs to make a claim, they will face very serious consequences. Insurance agencies will very frequently hire a cyber forensics team to investigate the breach as part of the claims process, and if there’s any discrepancies between security controls reported during the application stage and what’s really in place, it will be uncovered.
An obvious consequence is claim denial, as any inaccuracies uncovered can be construed as misrepresentation or even fraud. Even if the claim is upheld, business owners can expect to see skyrocketing insurance premiums and far stricter policy terms upon renewal.
Businesses can even face legal and regulatory repercussions, particularly if the data breached contained personally identifiable information. If it was found that the organisation didn’t take appropriate precautions in securing this data, they could be in breach of GDPR and suffer penalties including severe fines and a temporary or permanent ban on data processing.
Emerging email threats
Business email compromise (BEC) is on the rise and is a major concern for Irish SMBs.
This occurs when threat actors gain access to the mailbox of a high-ranking executive or a finance department employee, often through a phishing email, and use this access to execute, among other things, fraudulent funds transfers, targeting the infiltrated organisation itself or its partners and customers.
For a long time, having additional security tools and protocols, like multi-factor authentication (MFA), was considered a gold standard in defending against this threat, but worrying developments in cybercrime are making it easy for threat actors to bypass these defences.
This is often achieved through what’s known as Adversary-in-the-Middle (AiTM) attacks. The adversary sends a phishing email to the victim linking to a website that looks exactly like the legitimate one the user intends to visit.
Thinking that the website is legitimate, the user enters their login credentials, which are immediately forwarded by the fake website to the real website in real time. The legitimate website will then send an MFA prompt, intercepted by the fake site, to the user. This enables the attacker to bypass MFA, all the while leaving the user oblivious to any wrongdoing. This highlights the crucial importance of adopting a layered approach to cybersecurity.
Aligning with proven cybersecurity frameworks
The belief that any single product can provide adequate protection is misguided, as silver bullets don’t exist in cybersecurity. Businesses should adopt a more strategic and methodical approach from the top down by aligning their security measures with internationally recognised frameworks, such as the National Institute of Standards and Technology (NIST) framework.
This alignment enables organisations to identify gaps in their defences and take steps to address them. For example, many invest heavily in solutions that prevent breaches and facilitate recovery, but few focus on actively hunting for existing threats within their networks and responding to them, which would be covered by the integration of a managed threat detection and response (MDR) service.
The Network and Information Systems Directive 2 (NIS 2), set to take effect later this year, aims to strengthen the cyber resilience of essential and important entities across the European Union. It builds on the original NIS Directive, broadening its scope to encompass a wider range of sectors. While hundreds of Irish entities were concerned with the original NIS Directive, NIS 2 will affect thousands more.
Those impacted must implement robust risk management practices, including regular security assessments, incident response plans, and continuous monitoring.
Similarly, the Digital Operational Resilience Act (DORA) will affect many financial institutions in Ireland this year, necessitating comprehensive risk management frameworks, incident reporting and management, regular testing and audits, and risk management procedures for all third-party providers. If organisations affected by these new regulations are not already prepared, it is essential that they seek the assistance of an experienced advisor to develop a roadmap for compliance.
By integrating cybersecurity into the broader business strategy, leaders can ensure that the organisation’s risk management framework adequately addresses cyber threats.
In turn, this will protect critical assets, ensure business continuity, and boost cybersecurity awareness right across the business.
-
Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here
-
Listen to the ThinkBusiness Podcast for business insights and inspiration. All episodes are here. You can also listen to the Podcast on:
-
Spotify
-
SoundCloud
-
Apple