Can an organization be 100% protected against cyberattacks?
While trying to answer this question, former US FBI Director Robert Mueller’s words can be considered: “There are only two types of companies: those that have been hacked and those that will be.” No organization has full protection from cyberattacks and if they have not yet been hacked, it is likely they will be in the future. However, even those that have been hacked may not find out immediately.
In 2021, the average time for data breach detection was 287 days. Clearly, the discovery of sophisticated cyberattacks and crimes is a challenge for many organizations.
Considering the modern cyber challenges, ensuring good governance, understanding cybersecurity and creating a culture of cybersecurity awareness are essential for timely identifying and effectively addressing cyberrisk.
From Good Governance to Good Cybersecurity
It is hard to deny that good cybersecurity is based on the effective IT/cybersecurity governance and leadership. There are several well-known models, frameworks and standards that organizations can use to create effective governance including the US National Institute of Science and Technology (NIST) Cybersecurity Framework (CSF), the US Federal Financial Institutions Examinations Council (FFIEC) Cybersecurity Assessment Tool, the International Organization for Standardization (ISO) standard ISO 27000 and COBIT®. These guides describe the roles and responsibilities of top management, the importance of IT strategic alignment, the importance of management’s support, the importance of being prepared to overcome IT and cybersecurity challenges and the importance of effective IT risk management and reporting strategies. Mature organizations should be able to customize these guidelines in a way that is best for their cybersecurity governance and management.
Cybersecurity vs. Information Security and Why it Matters
Many top managers may not differentiate information security and cybersecurity, and therefore they may not realize the importance of having proper frameworks to address both information security and cybersecurity challenges.
Even though, both cybersecurity and information security are based on the well-known confidentiality, integrity, and availability (CIA) triad, the vast majority of professionals prefer to use the term cybersecurity even when referring to what is technically information security. Cybersecurity refers to mitigating risk that threatens digital assets, including data, or spreads through digital channels (i.e., over the internet), while information security refers to risk that threatens assets, including information. Cybercriminals can steal data that do not inherently possess a logical meaning. In other words, the data would not be considered information and, at first glance, would not be usable. However, from the cybersecurity perspective, the data could still be used for planning or execution of additional attacks.
This designation is important when mitigating threats due to new challenges such as the increasing use of various digital devices (e.g., computers, tablets, smartphones, smart devices, Internet of Things devices) to receive or provide digital services and the mass shift to remote working accelerated by the COVID-19 pandemic.
Creating a Culture of Cybersecurity
Considering that ensuring the CIA triad is the basis of information security and cybersecurity, how can organizations ensure its implementation? The people, process and technology (PPT) framework can help, but what if we invert it?
In the upturned PPT pyramid, the people component is moved to the top and the stability of the pyramid becomes dependent on the behavior of people (figure 1). Just one careless step by an employee can entirely undermine the stability of the pyramid—as is the case with cybersecurity. Thus, it would behoove organizations to create a culture of cybersecurity by adopting the attitude that cybersecurity is everyone’s responsibility. In this case, continuously training employees in cybersecurity, timely risk identification and regular testing of employees’ specialized knowledge is essential.
Effective leadership is needed for creating and preserving organizations’ cyberresilient culture and guiding employees into making cyberconscious decisions. Sufficient hardware and software cybersecurity risk management solutions can be implemented, but, ultimately, the degree of cybersecurity protection depends on the consciousness, vigilance and behaviors of each employee.
Figure 1—Importance of Cyberculture
Everyone’s Responsibility
Cybersecurity is a complex issue. For those organizations that do not have a dedicated team for cybersecurity, spreading the concept that security is everyone’s responsibility can be one of the best mitigation strategies. For implementing this strategy, organizations need to follow cybersecurity frameworks and best practices, not forgetting that well designed and passionately provided security awareness trainings should be a minimum must have.
Editor’s note: For further insights on this topic, read Komitas Stepanyan’s recent Journal article, “Addressing the Complexities of Cybersecurity at Fintech Enterprises,” ISACA Journal, volume 5 2022.