What next for cybersecurity?
It seems that every week there’s a new threat for CIOs to be concerned about. The current popular attack appears to be ransomware – as seen by the pipeline attack earlier this month – but no doubt some new threat will appear before long.
How does the Digital Leader cope with this? What strategies can he or she devise? What support do CIOs need from the rest of the business and what do they need to do to bring their teams up to speed
A CIO in the group kicked off the discussion with an example of how in the past year his own corporate account had been hacked by brute force methods, and in a separate incident, his organisation paid a ransomware attacker to release their network after it had been targeted and infiltrated. As he put it, vulnerabilities always exist but they have made improvements through regular, consistent training which has helped to change the culture, improve individual capability and raise awareness.
The group discussed the benefits of people understanding what a cyber attack could mean for their own job security and if this is understood then there is a greater motivation to be part of a solution.
One participant spoke about the importance of having a strong team that held a formal meeting every day to undertake a risk assessment. It’s certainly an approach that would reap dividends but, as was pointed out, it was not something that was available to everyone – there would be a question of funding for one thing. It’s something that could only be contemplated by larger organisations.
Even then, there could be difficulties, as the participant explained, people will try to circumvent the process and a better way of working may be to try using smaller teams for a more targeted approach. Another CIO remarked that they only got a chance to formally raise this subject with the board once or twice a year, but they had been able to provoke discussion and raise awareness in the senior team through informal channels.
Chairing the session, IDC’s Marc Dowd raised the thorny question of external business partners. He highlighted the issues that Apple had been having when a team of ransomware hackers breached one of the tech giant’s suppliers systems. As Dowd pointed out, if a company the size of Apple is vulnerable, what hope do other companies have?
It clearly touched a nerve as participants spoke about some of the difficulties they’d been having – from resorting to paper processes or finding themselves persona non grata as suppliers cut all connections after an attack.
And, as one participant explained, it added another layer of complexity to the whole process. “We have to think, not just about us, but about our supply chain: have we got contingencies in place if they get attacked? The sheer frequency of ransomware attacks was clearly on people’s minds too. As one speaker said, with marked exasperation, “you can’t turn on computer without ransomware attack, they’re almost daily.”
There were concerns from CIOs about the limits of what they could do. There were so many factors at play: the level of funding for cyber-security measures, the responses of the workforce, the company culture and so on. The IT executives can only do so much. As one participant said sadly, “We’re the scapegoats, what can we do to protect ourselves?” Before adding, “What insurance policies can we put in place?”
The idea of cybersecurity insurance was picked up as an idea and adopting such a measure was seen as one way of mitigating threats – or at least the effect of threats. However it was recognised that criminal gangs have been targeting companies that have insurance, since a ransom is more easily paid.
The final question was whether those humans needed help by implementing elements such as two-factor authentication and password managers. One speaker said it was an approach that had been tried but it had limits, “We can’t use password managers for twelve thousand users; it will be a complete mess.”
There was certainly an acknowledgement that IT teams were up against it. As one speaker said, it’s not possible to be 100% secure, you just have to get the best value of what you have got. Another speaker disagreed, however, and with tongue firmly in cheek said that it was possible to have 100% security, “it’s just that nothing would be usable.”
Ultimately, that’s the heart of the problem. CIOs need to produce working systems that are operable by humans. There was talk of automating the process but, when it comes to crunch decision, it’s humans making the decisions … and it’s going to be humans who are going to be the biggest vulnerability.