Sage Advice - Cybersecurity Blog

One of the key findings from PwC’s 2018 Global State of Information Security Survey is that when it comes to managing cybersecurity risk and building cyber resilience, senior leaders driving the business must take ownership. In fact, they found that Board confidence in security measures is actually tied to their participation in the company’s overall security strategy.

As cyber threats continue to escalate, Boards of Directors are becoming increasingly interested in cybersecurity and risk management. This is no surprise, as the Board is ultimately held liable and responsible should a breach occur. And it’s important because leadership sets the tone for the rest of the organization. They must lead by example when it comes to cybersecurity, and actively participate in, and be supportive of, the mission to be secure. As such, cybersecurity has made its way onto the agenda of many Board meetings.

Cyber threats are daunting. Not only are they complex and constantly evolving, they have the potential to impart significant financial and reputational damage to an organization. Plus, there’s no way to be 100% protected. That’s why cybersecurity is no longer just the responsibility of IT departments. Boards of Directors are ultimately liable and responsible for the survival of their organizations, and in today’s interconnected world, cyber resilience is big part of that responsibility. That means that Boards must take an active role in cybersecurity.

It’s not always easy to determine when your data has been compromised by an insider. When someone has approved access to sensitive data, and it's part of their job to use that data, how can you tell if something bad is happening?

Even environments with the most mature perimeter defenses are at risk of insider threats. Whether from malicious intent, carelessness, or clicking on a phishing email, the result is the same. Your sensitive data is exposed. The good news is that there are things you can do to deter, and in some cases prevent, insiders from compromising your network.

The majority of incidents caused by insiders are the result of employee / contractor negligence or just an honest mistake. But some are of malicious intent. For example, this benchmark study, found that 22% of insider-related incidents were caused by a criminal insider. It's still important to be aware of this type of threat though because they are typically very difficult to detect and often take a long time to discover. And the longer it takes to detect a data breach or leak, the more costly it can be for your organization.

Ever since Edward Snowden walked out of the National Security Agency (NSA) with a treasure trove of classified information, the threat posed to corporate data from an inside attack has been widely accepted. Today, study after study show that insiders pose a significant cybersecurity threat, reporting statistics like: 

So you’re well on your way to creating a cybersecurity culture in your organization. You’ve built a foundation of institutional knowledge, and you’ve carefully considered how people, process, and technology play a role. But there’s one more element to think about, and that’s testing. Actually not just testing, practice is also important. One of our security advisors often says, “You can’t think your way into playing the piano.” Practice will help you achieve cybersecurity resilience.

Bill Gates once said, “The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. The second is that automation applied to an inefficient operation will magnify the inefficiency.” In terms of a cybersecurity culture this couldn’t be more true.

When building a Cybersecurity Culture, process plays an integral role. Every process should include learning, improvement, and accountability touch-points, as well as provide end-to-end corroboration of the function it represents.

Let’s review what this looks like in practice.