The threat of a breach should be perceived as a real and present danger to large UK organisations, especially in light of BT Chief Gavin Patterson having identified a culture of widespread negligence of proper cyber security practice in the boards of large organisations. According to Richard Pharro, CEO of APMG International, effective communication between the board and the IT department can go a long way to dampen the blow:
"It may seem as though the odds are permanently stacked against those tasked with managing the risk and vulnerabilities of an organisation's infrastructure, however, by adopting a holistic change in an organisation's attitude to security rather than exclusively focusing their energy on minor repairs to the system, a cyber attack doesn't have to sink the ship."
A recent survey from EY reflects Pharro's observation that breaches are commonly perceived to overwhelm IT departments, with 88 per cent of organisations claiming they feel unprepared to deal with a breach.
Pharro went on to say that current responses to incursions on security were, in most cases, mishandled. This is a consequence of the ad hoc approach taken to managing risks and vulnerabilities:
"Many IT departments feel as though they're on the back foot, but this obvious situation of need shouldn't be met with paralysis: the entire organisation must be educated to act on threats. It is not surprising that careless or unaware employees are now the single largest source of a breach, as the EY survey found. Those board members content with pumping funds into preventative technologies must broaden their approach and consider security training for all parts of the business, including board awareness."
Pharro advised on laying the groundwork for an effective response:
"It is crucial that security is not understood in simple terms as a wall or defence, but as a wide-reaching organisational practice in which the breach is considered as an inevitability. By this model, the ramifications incurred by a breach can be pre-empted and staff throughout the organisation can be appropriately trained to deal with resulting fallout. This traditionally involves introducing ways in which the infrastructure is able to absorb the impact of the attack and recover, however, the social collateral must also be considered.
"The introduction of a language shared across the organisation is the antidote to misunderstanding. Educating the entire organisation on threats and modelling responses around possible scenarios can reduce the degree of uncertainty posed by a breach. Tools such as CDCAT (Cyber Defence Capability Assessment Tool) make the complex world of cyber security more accessible and easier to understand, shifting the discussion away from technology towards management and business practices. This in turn helps directors to identify vulnerabilities in their systems, processes and practices and to define strategy to mitigate risks to critical information assets," he concluded.