A conversation of rising cybersecurity threats
A conversation is happening in the UK about businesses’ responsibility to its customers in the face of rising cybersecurity threats. Last week, consumer watchdog Which? called on the Government’s new fraud task force to ensure companies better protect their customers from cybercrime and to compensate them for breaches. The Government’s own Cyber Governance Health Check report on Monday indicated that while top firms understand the importance of cybersecurity, they fail to gather the right information to be ready to take action.
With the Government’s study revealing two-thirds of UK companies have been targeted by cyberattacks in the last year, policymakers are eager to find ways to ensure firms take appropriate action. However, simply imposing a fine on the businesses that lose customer data is not a recipe for genuine accountability. One of the most enlightening discoveries of our recent study,The Accountability Gap, is that two out of five respondents across NED, C-level, and CIO-CISO-level positions admitted that don’t feel responsible for the repercussions of a cyberattack.
This reveals a major mismatch in many modern businesses. Compensation is great for customers, but it won’t change the fact that on the whole, corporate leaders have failed to take responsibility for the security of their data. Our research, in partnership with Nasdaq and Goldsmiths, University of London, showed in the UK specifically, only 29% of the most vulnerable C-suite executives had gone through risk assessments related to cybersecurity. Overall, just 10% of executives at the most vulnerable companies receive regular updates about the types of threats that could affect their business, and 98% are not confident that their organization tracks all computers and users across their system at all times. This accountability gap manifests itself in levels of awareness and readiness that do not match the growing threat level. It poses a significant issue for the UK’s businesses, including many of the FTSE 100.
There is evidence that cybersecurity is beginning to get boardroom recognition, but this is far from sufficient. A culture of vigilance needs to exist throughout an organization, and cyber literacy must improve at all levels. Corporate leaders should then take an honest look at the technology they use to keep their business safe. Can they answer basic questions like, “How many devices are on my network?” This is not a technical issue; you simply can’t secure something you don’t know exists.
Later this year, the UK Government will publish a revised national cybersecurity strategy. It will set out a fresh approach to help businesses, consumers, and its own departments tackle cyber attacks. Then in the autumn, a new National Cyber Security Centre (NCSC) will open to help the private sector implement this strategy. These are very welcome steps, but they must be focused on creating a genuine culture of accountability in businesses.
We believe the Government’s advice to businesses should cover four important areas:
- Raise awareness of the cybersecurity threat: The government is uniquely placed to measure and communicate the rising risk of breaches.
- Educate firms on best practices: Consulting with the cybersecurity industry, the Government should form a view of what constitutes best practices and then use NCSC to help companies implement changes to their approach.
- Support a skilled workforce: Ensure courses are available and affordable in IT Security to fill the widening cyber jobs gap.
Throughout this process, Tanium will be playing its part in campaigning for a more holistic approach to security. Network visibility, strong response plans, training employees, cultivating knowledge, and sharing information are all crucial elements for strengthening companies’ IT security. The Government is confident it understands the scale of the threat, but it must be willing to recommend solutions to match it.