CEOs have a lot on their plate. They are ultimately responsible for business strategy and planning, as well as leading operations. It’s no surprise then, that they lean heavily on their technical leads and departments, particularly when it comes to information security.
“While they believe they are being correctly advised about how best to protect their organisations from threats, too often they end up wasting their limited security budgets and tools and solutions that simply aren’t doing the job,” says Simon Campbell-Young, MD of Credence Security.
He says this happens because they are led to believe certain myths that simply aren’t true. “One of these mistaken beliefs is that cyber security is just an IT problem. Viewing digital threats as purely the purview of IT department is one way to guarantee that they won’t be contained in time. Once data has been digitised, everything from accuracy, privacy and availability to integrity has to be protected – across all departments.”
Another example is that CEOs have been told that attackers are all technical experts. This isn’t the case. For the most part, they are not unstoppable geniuses. “Sure, there are some highly intelligent minds behind some of the threats we see today, but it’s just as likely that hackers are regular guys with a little technical know-how, or even rank amateurs,” Campbell-Young says.
Most attackers simply know how to get something done with the tools available. “Many tools are passed down through criminal organisations, or these tools can be bought on the dark Web for a few hundred dollars. Sure, there are some highly skilled and well-funded groups working for nation states, but these are the exception, not the rule.”
Next is the mistaken belief that cyber criminals cannot be stopped. “In truth, many organisations have such ineffective tools in place, or have such a lackadaisical attitude about cyber security that it’s child’s play for attackers to penetrate their defences. While it’s true that the more well-funded and highly motivated criminal groups can’t be stopped 100%, many, many attacks can be stopped with a combination of the right tools, procedures and employee training.”
Campbell-Young says this leads to the next point, which is that CEOs believe they are investing adequately in employee security training. “The insider threat, whether through a careless or malicious employee, is still the primary avenue through which organisations are breached. Phishing and social engineering are still widely used by cyber criminals, mainly because they work.”
Yet despite this, most companies devote practically no time to training their staff in these threats. “Staff are simply not adequately trained to prevent social engineering from being successful, and as long as this is the case, organisations will continue to get hacked, irrespective of what else they do, and how many resources are thrown at cyber security tools and solutions.”
Then there’s the view that protecting their business is enough. “It isn’t. Today’s organisations are connected to a multitude of suppliers and other third-party partners, each of whom can be used as a stepping stone to gain access to their network. Remember, a chain is only as strong as its weakest link, and everything in the organisation’s ecosystem, from satellite offices, to the auditors, can be a threat vector.”
Finally, he says organisations are confusing compliance with security. “With increasingly stringent data regulations, CEOs have to make sure they meet all legal and regulatory compliance requirements if they don’t want to fall foul of regulators, and incur massive fines, not to mention reputational damage. However, what is needed to be compliant isn’t what is needed to be secure, in fact the two can often be at odds.”