Why cybersecurity must be baked into every business decision

2 Aug 2021

Edel Briody, Vodafone Ireland. Image: Naoise Culhane

Vodafone Ireland’s Edel Briody talks about the importance of cyber resilience and having a strong security strategy.

Working to ensure business resilience has never been more important. In the wake of the HSE cyberattack, which has shown us just how much devastation cybercriminals can cause, it’s vital for every organisation to take cybersecurity seriously and to protect themselves against external threats and internal complacence.

Moreover, the Covid-19 pandemic has caused an accelerated move to online and digital services in work, education, health, retail and more. The more we do online, the more we must prioritise cybersecurity. In fact, PwC’s Global Digital Trust Insights Survey 2021, which surveyed more than 3,000 global executives, found 96pc of organisations had evolved their cybersecurity strategy due to the pandemic.

Companies of all sizes need to ensure that they not only have the appropriate and up-to-date cybersecurity technology in place, but also that cybersecure thinking and behaviour is part of the DNA of their organisations.

This is no longer an optional add-on or a siloed activity. Half of the executives surveyed by PwC for that recent report said cybersecurity and privacy will be baked into every single business decision or plan in their company.

While most larger organisations have extensive security controls and infrastructure in place, some smaller firms do not and they are leaving themselves open and vulnerable to attack. Regardless of the size of the organisation, however, it’s crucial to remember that strong cybersecurity has two critical components.

The first of those is security technology, infrastructure and controls, and those should be strong and up to date no matter what. More and more organisations are ensuring this is the case. Accenture’s State of Cybersecurity Report 2020 found that 82pc of leaders were spending more than a fifth of their IT budgets on advanced security, up from 41pc three years earlier.

The power of education

Companies can fixate on technological fixes without focusing on the most significant line of defence. However, the second and arguably most important element of any cybersecurity strategy is instilling a security culture throughout every aspect of the organisation and influencing and supporting the appropriate human behaviour needed to combat threats.

Organisations need to move away from having security training as a box-ticking exercise or doing training because they know they should be. A high security culture must underpin the company culture.

This is not a once-off activity, a strong security culture will change employee attitudes. This means moving beyond tactical and recognising that effective security requires a long-term approach, focusing more on the awareness and communications, bringing the policies to life so to speak. It means understanding the best communication channels to promote a sense of belonging and offer support to employees to raise security incidents or issues is really important.

It’s vital, for example, to emphasise and re-emphasise the importance of even the simplest, most basic behaviours, such as never sharing your password or being careful not to discuss confidential information on calls in open-plan offices. It’s also worthwhile to underline that the information people share on social media is absolute gold for cybercriminals. They can obtain extremely valuable information there.

Early detection of significant new threats often arises because someone says, ‘This isn’t right, this doesn’t feel right, maybe we should get this checked out before we click on it.’ Encourage everyone in your organisation to report anything remotely suspicious to the IT department and ensure you run simulated attacks to understand and analyse the response within the organisation. Likewise, limit admin rights so employees can only download approved apps and software.

Our analysis, particularly of the FluBot malware scam that has been circulating to Android phones across Europe, shows that hackers have changed tack in recent times. As much as organisations and companies try to bolster their defences, hackers are trying to exploit any potential loopholes arising from human behaviour.

They study the human perspective because they are trying to make sure their messaging is as impactful as possible, so they use masking and spoofing behaviours to make their messages seem as though they are coming from the Gardaí or the Department of Social Protection.

The most insidious phishing threat is often not one involving a huge volume of phishing emails. It’s where the hackers turn down the dial and try more low-key approaches that could easily catch people out.

One threat to warn staff about, for example, is spear phishing. This might occur when a third party’s technology has been compromised. When an employee receives an email from the third party, it seems legitimate and trustworthy, but it is what is being asked of the employee that should raise the alarm. For example, they might be asked to change the bank account to which a payment is being made. Everyone in an organisation should be aware of these red flags.

To fight cybercrime, we need a holistic approach, spanning industry, individuals and government. Ireland is already at the vanguard of this and works with industry to understand threats and where security improvements can be made, but it’s vital that national and European policy and regulations are clear to everyone in every business so that we can have strong and effective digital workplace policies.

By Edel Briody

Edel Briody is the head of corporate security, risk and compliance at Vodafone Ireland.