By Siroui Mushegian, CIO at Barracuda Networks Inc
The security end goal for all organisations is cyber resilience. Effective prevention and detection measures are, and will remain, a critical cornerstone of security strategies, but companies shouldn’t stop there. What matters is how the organisation prepares for, withstands, responds to, and recovers from an incident. And this depends on people and processes as much as it does on technology.
When the U.S. National Institute of Standards and Technologies (NIST) updated its benchmark Cybersecurity Framework earlier this year, it added security governance – how security is implemented and managed through people and processes – as a strategic priority. As a CIO I completely agree with this.
Effective security governance includes such things as consistent security policies and programs, a business leadership that understands risk and how to manage it, robust incident response strategies, investment in skills and training, and more. Our international Cybernomics 101 study revealed that many organisations are finding these goals difficult to achieve.
Globally, just 43% of respondents believe they can effectively address cyber risk. In Australia, nearly 2 in 10 organisations (17%) recorded their IT security posture in terms of effectiveness in mitigating risks, vulnerabilities and attacks as not effective. This low level of confidence in their own security posture is concerning. We decided to dig deeper into the data to learn about the top challenges facing organisations on their journey through risk toward cyber resilience and to draw on our experience to develop practical tools that could help them.
The result is our new CIO report: Leading your business through cyber risk, published today.
The report explores how challenges relating to security policies, management support, third-party access, and supply chains can undermine a company’s ability to withstand and respond to cyberattacks.
Among other things, the findings show that many organisations find it hard to implement company-wide security policies such as authentication measures and access controls. Half (49%) of the smaller to mid-sized companies surveyed listed this as one of their top two governance challenges. This could in part be a cultural issue, such as where employees push back against enforced restrictions. It is a risk area where business leaders have a powerful role to play.
In Australia, 29% of respondents worry that senior management do not see cyberattacks as a significant risk, with 49% highlighting that their organisation lacks consistency across enterprise-wide security policies and programs. Both of which present key challenges for organisation’s IT security posture from being fully effective.
Regardless of size, many organisations have concerns about a lack of security and control over the supply chain and visibility into third parties with access to sensitive or confidential data.
In Australia, around one in 10 of all the businesses surveyed doesn’t have an incident response plan to turn to in the event of a successful breach. 28% of the Australian organisations survyed also recorded there is no set time for testing the plan, despite nearly half (47%) having experienced one or more cyber attacks in the last 12 months. This could be due in part to the complexity and resource requirements of running a realistic test.
A non-existant or unproven plan could do more harm than good if a serious attack hits and a company doesn’t know what to do next or what its obligations are.
Fortunately, organisations don’t have to go it alone. The CIO report signposts some external sources of help, and also offers practical templates to help organisations manage cyber risk and map where they are in their journey toward cyber resilience. These include a risk management menu and a cyber resilience checklist.
The cyber resilience checklist draws on the latest iteration of the U.S. National Institute of Standards and Technologies (NIST) Cybersecurity Framework and can be freely downloaded and printed from the Barracuda website.