Combatting cybercrime is a constant concern for South African companies. At the beginning of May, Dis-Chem experienced a cyberattack where the data of more than 3.6 million customers were compromised. This follows hot on the heels of the TransUnion incident where a hacking group gained access to the personal information of 54 million consumers.
These two recent news items underscore the risks companies face in their ongoing war against cyber threats. Those businesses that get breached continue to struggle with immediate and obvious impacts: downtime, loss of data, loss of revenue, hits to their reputations, and regulatory fines. But the stakes are getting higher.
With the Protection of Personal Information Act (POPIA) in effect, companies like Dis-Chem, TransUnion, and any other that gets hit by an attack open themselves up for additional scrutiny from customers. In the court of public opinion, people expect organisations to act more diligently to protect sensitive information. Those who are perceived to be lacking in this regard, stand to lose business from an increasingly educated customer base who are more than willing to move to a competitor in the wake of such incidents.
Of course, virtually every company has made some efforts in recent years to strengthen their cybersecurity stance. High-profile breaches at Experian, Debt-IN, and other well-known local organisations have heightened awareness and forced IT decision-makers to shore up corporate networks and reinforce their policies. But that does not mean the breaches are stopping.
Exacerbating the challenge is how many companies still believe that cybersecurity is solely the IT department’s concern. But if these recent incidents have shown us anything, then it is that security is an organisation-wide priority.
It is also not only SMEs that are struggling to change their mindset when it comes to cybersecurity. Even larger companies are finding it difficult to manage to a more integrated approach. Most still rely on back-room IT managers to set and carry out security strategies. Many have not involved business leaders enough in cybersecurity strategy or made cyberthreats a standing item on the board’s agenda.
The reality is that there is no more time to avoid this. Companies must refocus their IT strategies to balance security and the availability of data. Here are four basic steps they can take to prioritise cybersecurity at the leadership level.
1. Strengthen the board’s cyber skills
The board must take an active role when it comes to cybersecurity preparedness. For this to happen, directors need to ensure that they are up to the task. This goes beyond having members conduct remedial discussions with IT and business leaders. Board members need to educate themselves to meet the ongoing cybersecurity challenge.
As a starting point, boards can assess the cyber skill levels of their members. Furthermore, they can potentially hire members with expertise in cyber matters. These cyber specialists can lead subcommittees and engage more directly with business and IT leaders on cyber strategies.
In addition, the entire board must get annual or biannual training to understand the constantly evolving cybersecurity landscape. A board that is well versed in cyber issues can better address the risks, liabilities, and technical issues that will inform the strategy decisions they will have to make.
2. Create a free-flowing information exchange
Once the board is up to speed, management needs to develop a mechanism that promotes consistent communication about cyber risks and strategies. Managers should set aside time for intense interaction about plans, procedures, and ongoing issues relating to cybersecurity risks.
It is important for the mechanism to include stakeholders from a variety of departments – everybody from business to IT to the legal staff to HR and marketing. Yes, cybersecurity technologies will still be controlled by IT. But strategy and implementation cuts across all departments and extends all the way up to the board. Interactions should become an ongoing part of the board’s continuing responsibilities, and managers should serve the role of educators and facilitators.
3. Designate an executive sponsor
Even though cybersecurity extends company-wide, the development of a response plan is best left done to an individual. This person does not have to develop the entire plan. However, the person should be a leader who has the authority to drive change and gain alignment across the company. In theory, the CIO, CISO, or CSO should be well positioned for this task.
It makes more sense for a company to appoint a business leader in this role. It is less about the technology being used and more on understanding the impact on revenue-generating activities and operations. The person should engage with technology leaders but approach the task with a focus on business strategy. Technology is critical, but the best response plans are framed around how operations can best be prepared for a breach and sustained in case one occurs.
4. Assigning roles
While the CSO and CISO set the security agenda, other leaders also need to become involved. For instance, CFOs must ensure that a level of security is being built into all the company’s financial processes. HR directors need to vet new hires more diligently and serve as conduits for employees’ comfort with security practices. Sales leaders need to promote security hygiene, especially with traveling agents whose virtual access makes them prime targets for hackers.
The road ahead
Given the access cybercriminals have to more advanced technologies, it is a case of when rather than if a breach occurs. However, companies can take a more proactive stance to mitigate the repercussions of a successful attack.
By making cybersecurity a leadership issue and extending it across the business up to board level, companies can certainly take a step in the right direction.
By Dave Russell VP Enterprise Strategy, Rick Vanover Sr. Director Product Strategy and Chris Norton, Country Manager Africa, Veeam