Good cyber security begins in the boardroom

Cyber security is no longer just IT’s problem. Education and training are of vital importance for all company executives if they hope to tackle the growing threat of cybercrime and embrace the opportunities that having good cyber security practices offers, says Beth Porter

Companies can no longer put cyber security into the ‘too hard’ box and cross their fingers it won’t be an issue they have to deal with. Posing an ever-increasing threat – and one that has grown substantially since the advent of the Covid pandemic – it should be at the top of every organisation’s agenda, whether they are big and small.

Yet despite the fact that an increasing number of business leaders do recognise the importance of cybersecurity, too few companies are actually ‘walking the walk’ when it comes to cybersecurity investment, especially when it comes to providing adequate education and training for their staff. That includes C-Suite executives.

According to a survey of over 750 business leaders carried out by Esme Learning Solutions, in partnership with Future Publishing, three quarters of respondents see cyber security as both a central priority for their organisation as well as a high priority in relation to other business priorities.

But while businesses recognise the importance of tackling cybercrime – a problem which was costing mid-market businesses more than £30 billion a year even before the Covid-19 pandemic – too few are doing anything about. And, rather more worryingly, there appears to be a substantial disconnect between their views and what’s taking place in their businesses every day.

For example, while half of companies (52%) link strong cyber security capabilities to increased profitability, only 36% believe they are equipped to capitalise on new cyber opportunities, indicating they are missing out on potential business benefits.

The cost of human error

Currently, one of the big problems is that businesses tend to view cyber security as purely a technical issue, requiring only investment in IT solutions such as anti-virus software or a password manager. However, this is only a small part of the picture. Indeed, approximately 60% of all cybercrime is currently caused due to human error or action, such as clicking on a phishing link or unwittingly giving information to someone claiming to be an authorised company official.

That’s why educating staff about cyber security issues is particularly important in order to improve cyber literacy and prevent basic mistakes being made. A paper from Accenture earlier this year, Lessons from leaders to master cybersecurity execution, claims that organisations that offer the best training are twice as effective as other companies when it comes to defending attacks. They’re also faster when it comes to discovering and fixing breaches and able to protect more of their organisations.

However, according to the Esme Learning Solutions survey, while the vast majority (95%) of companies want the latest in cybersecurity training, only 39% think the current offerings meet their needs. It’s clear that education is the missing link with lack of training costing companies money while putting their businesses at risk.

Importance of training

While there are a great many technical solutions for cyber security professionals, such as CISOs (Chief Information Security Officers) there is a lack of high quality, relevant training available to executives and business professionals. This knowledge is vital to help them understand cyber threats from a business perspective as well as work with the cyber team to mitigate risk and develop any potential cyber opportunities. This is something that Esme Learning is keen to address through a range of fully online courses, in partnership with top tier higher education institutions.

Ensuring the C-Suite is educated on cyber security protocols and hygiene does more than just improve overall cyber literacy within a company. It also helps to improve its overall culture, with job roles less ‘siloed’ or compartmentalised than before. For example, these days a CISO needs more than just the technical knowledge required to address cyber security issues; they also need the skills to communicate to the board and to understand the issues from a business, as well as a technical, perspective. Conversely, the CEO and other board members need to understand the threats and opportunities that cybersecurity brings and how to respond in a timely and appropriate manner if they are breached.

Covid-19 brings greater threat

Unfortunately, a severe security breach doesn’t just impact the bottom line of a company in the short term. It can also have a major impact on a business’ long-term survival, leading to poor stock performance and massive reputational damage, especially if customer data is compromised. Furthermore, as well as the cost of fixing the breach – including possible ‘ransomware’ costs to the hackers – there is also the risk of incurring massive fines for breaching regulations such as GDPR, currently up to 20 million euro or 4% of global turnover, whichever is highest.

Nor is this threat diminishing over time. In fact, the Covid-19 pandemic has only served to increase cyber security threat levels as staff – many of whom are not particularly cyber literate – work from home. Unable to rely on IT professionals in the office, or the relative protection of office firewalls, home workers pose a much greater risk to companies. For example, they may be more likely to click on phishing links or take a call from someone purporting to be a company official asking for financial details or company passwords.

Home office workers may also inadvertently allow cybercriminals much easier access to their work network through insecure listening devices such as baby monitors and smart speakers. It is no wonder then, that since lockdown began, there have been several high-profile cyber security attacks reported in the media with recorded hacks against organisations reaching a four-month high by the end of April 2020. As a result, both the UK’s NCSC (National Cyber Security Centre) and the US’s Cybersecurity and Infrastructure Security Agency (CISA) issued advisories regarding the potential for cybercriminals taking advantage of the COVID-19 pandemic on 8 April 2020.

Shifting to digital-first strategy

With the world rapidly shifting online as a result of the global pandemic, cybersecurity has never been so important. Many companies are now emerging from lockdown, only to find that the old ways of working, before COVID-19, are no longer appropriate and that they must take a digital-first approach if they hope to survive in the long term.

However, this can only be achieved if businesses start to ‘walk the walk’ and invest in a comprehensive cyber security strategy. Importantly, this doesn’t just involve spending on technical solutions, but investing regularly in education and training to help improve cyber security literacy. For board members, it means understanding the threats and opportunities that cybersecurity brings and how to deal in a timely manner if, and increasingly when, a cyber breach happens in order to mitigate the damage caused.

Beth Porter is Co-founder, Chief Operating Officer and President of Esme Learning.


Beth Porter is Co-founder, Chief Operating Officer and President of Esme
Learning.

Beth’s passion is providing leading tech-enabled learning experiences. She’s pioneered research and developed products that transform online teaching and learning, including the Open edX initiative at edX and the original Texas OnCourse program. Her engagements include researcher and lecturer at the MIT Media Lab and Boston University Questrom School of Business.

Esme Learning Solutions is collaborating with Saïd Business School, University of Oxford, in the development of the Oxford Cyber Futures programme. It is designed to empower business leaders, from all industries, with the knowledge required to make strategic decisions around cyber security through self-paced online study.

You may also like...