Why Cybersecurity Should be the Concern of Every C-level Executive – Part I17, July 2018
Recent cybercrime reports all point towards the same trend—the rise of insider attacks. Insider threats are considered more dangerous and harder to solve because insiders have access to critical, sensitive data and can steal information undetected for a long period. Any company, irrespective of industry, size and revenue, can be a potential target for an insider attack. Under such pressing circumstances, companies need to go the extra mile to secure their organizations from within. This sparks a pertinent question: Is securing a company the responsibility of the IT security team alone? What role should the employees and management play to fortify business-critical data?
A May 2018 ERP Maestro-commissioned Americans’ SAP Users’ Group (ASUG) survey revealed a widening gap between executives and IT employees in their level of cybersecurity concern. Thirty-three percent of the executive/management survey respondents weren’t even aware if their company currently had a cybersecurity strategy in place, and of the ones who were, only 25 percent were concerned about security.
As ERP Maestro, Jody Paterson points out, “The disparity doesn’t necessarily mean that the executives aren’t concerned about security; it just goes to show that the C-level may have less visibility into the level of risks and are apt to be removed from the day-to-day cybersecurity tasks.”
How does management’s involvement in security strategy have an impact on a company and reducing cybersecurity risks?
To answer the above question, we must first look at the cost of an internal attack to a company.
According to Ponemon’s 2017 The Cost of Data Breach study, the average cost of a data breach was noted to be $3.62 million. The average cost per compromised record was $225. To put this in context, the largest data breach last year—Equifax—had 143 million records that were compromised! That’s over $32 billion. The average time to identify an external data breach was 191 days. However, it takes significantly longer for an insider-led breach. Identifying the perpetrator is much more challenging because insiders have free access to company data. The longer it takes to identify and contain a breach, the more expensive it becomes for the company.
Lack of visibility into who has access to sensitive information is a prime factor that delays the process of identifying the rogue employee or the unintentional actor. The IT security team needs sophisticated tools that provide continuous monitoring and constant visibility into not just who has access to sensitive information, but also to who has used this access and how this access actually has been used. Visibility into such granular, utilization data allows the IT security team to immediately flag suspicious activity and aid the early identification of an insider crime.
How can the C-level help?
Executives are the decision-makers. Without the buy-in from management, the IT security team cannot procure the tools to monitor and safeguard data that is crucial to the company. With the migration of ERP systems to the cloud and the ability to access sensitive data through multiple devices, increasing the chances of a crime, it is the responsibility of the leadership team to equip the company’s security team with tools and technology that will allow them to not just keep up with, but also to stay ahead of cybercrime.
The role of employees
When it comes to insider attacks, there are three main types of threats:
- Accidental: Usually caused by lack of awareness of cybersecurity best practices; instances include an employee accidentally performing a transaction, accessing sensitive data or sharing the company’s critical information
- Negligent: Most often the result of mistakes made unintentionally and without malice are by employees who try to circumvent processes and policies, while trying to get their work done quicker, which may involve, for instance, sharing of passwords or files
- Malicious: Acts committed by disgruntled employees or employees who are motivated by financial gain
How can employees play a part in protecting the business-critical data? Educating employees about cybersecurity risks can help them understand the value of security protocols and processes and ensure they do not involuntarily compromise data by opening/clicking suspicious links or sharing data or login credentials. Using detective controls and a robust access management solution to make sure “ghost employees” (ex-employees or employees who are no longer in the system) have their access to sensitive data revoked is another security best practice.
Further, in order to create a holistic security culture in which all employees are involved and actively serving the interest of securing the company’s sensitive data, the directive needs to come from the top.
Read more about the Security, Governance, Risk and Compliance Insights Survey results here