2020 – The Year of Cybercrime?

Over the course of 2019, there has been a massive 54% increase in data breaches and the consequences in many cases are dire. What you read in the press is the tip of the iceberg when it comes to the severity of these attacks and the headlines are dominated by huge fines imposed upon global players such as Capital One, Yahoo, Verizon and British Airways. However, the headlines don’t touch on why these breaches continue to happen. Why can’t these corporations with vast IT and Information Security budgets keep their data safe? And if they can’t, how can the CEO of any organisation work to ensure the security of their data?

The reason that the headlines don’t focus on the main vulnerability and the real source of the data breaches is that the answer is banal and simple: The fault lies with the human. £100s of millions are spent on large-scale technical solutions designed to defend the network, and even Kaspersky, one of the leading global enterprise security solutions providers, understands the importance of the human factor in enterprise security and advocated the importance of employee education in CEO Today[1] back in October.

The trend that CEOs need to bring to the fore when interrogating their digital infrastructure is that rise of cyberattacks shows no sign of abating: and the most important and undisputed fact is that over 90% of data breaches are caused by human error. This is a massive statistic when you consider that the huge budgets invested in state-of-the-art information security can be undone by one simple absent-minded click on a phishing email.

The type of vulnerabilities that are being exploited by criminals are varied: They start with Business Email Compromise (BEC) and Email Account Compromise (EAC) where attacks (as recently reported by the FBI) have cost organisations globally more than $26Billion since 2016. Phishing emails, particularly emails made to look like they come from trusted sources, are the major culprits. Every CEO will have heard about Ransomware and Mobile Malware and IT departments are constantly keeping up with the latest developments but there can still be vulnerabilities that can be exploited within the infrastructure.

Every computer, every communications device, is an open door to a criminal and at the moment untrained employees are not only opening the door – they are propping it open and inviting them in.

A natural step to address these vulnerabilities is cybersecurity awareness training but for many organisations, this is often an afterthought employed after the system has been breached and the company has suffered. Many organisations who do implement cybersecurity training programs often just train the technical staff – missing the real source of the problem – the employee at the frontline.

CEOs today need to view cybersecurity not as an IT problem but as a real business issue. Every employee within any organisation large or small should be cybersecurity trained on how to spot risks and act on them. They should know the consequences and implications and training should be implemented at every level of the organisation and in every department. Every computer, every communications device, is an open door to a criminal and at the moment untrained employees are not only opening the door – they are propping it open and inviting them in.

In essence, in 2020, CEOs need to build a cybersecurity awareness culture within their organisations. Training needs to be ongoing: Employees come and go and threats change (in method and delivery). The best way of combating a cyber threat is through continuous real-time training where the IT department automatically and continuously runs simulations of cyberattacks randomly across departments and assesses the threat according to the response of the employee. The best networks allow for employees to flag up strange or suspicious activity to their IT departments with the touch of a button – effectively quarantining an attack.

Finally, accountability is key: It is no longer good enough to bounce cybersecurity over to the IT department as something for them to deal with. Cybersecurity awareness will keep many businesses alive, protect them from threats and ultimately give them robust competitive advantage.

Cybersecurity should be elevated within the organisation from being seen as an IT issue, to being seen as a real business risk.

In conclusion, the holy grail is the combination of education and the right technical tools. It is the most expedient and efficient protection for any business. All organisations need to recognise and prioritise cybersecurity and assign accountability for its risk to appropriately qualified senior executives. Cybersecurity should be elevated within the organisation from being seen as an IT issue, to being seen as a real business risk. Another equally important consideration is audit, regulatory compliance, cyber insurance and security requirements that further protect any business and are satisfied by the implementation of the right training tools and processes.

Ironically tackling the human problem is easier than you think: The tools and platforms are there. They are simple to deploy and at a significantly lower cost than expensive enterprise software solutions. All too often companies and technical departments are overthinking security. Get back to basics and do the basics right by focusing on staff as the first line of defense. Cybersecurity is not a quick fix. Criminals will keep coming and it is today’s CEO ‘s responsibility to treat this risk with the gravity it deserves.

By recognising and reacting proactively to the latest upward trends in cyberattacks, CEOs in 2020 who implement a cybersecurity awareness culture can stay a step ahead with pre-breach solutions and tackle the real fragility of human error. They can build a human firewall that, in turn, protects the technical firewall.

[1] https://www.ceotodaymagazine.com/2019/10/does-being-little-make-you-invincible-companies-that-have-suffered-a-data-breach-would-disagree/