Do companies take cybersecurity seriously enough?

The hard truth is that there is no way that cybersecurity risk can be fully eliminated.

By Mike Harris Grant Thornton Ireland

ANYONE IN BUSINESS knows that fighting off cyberattacks is a never-ending battle and a constant drain on resources – money and people.

Making matters worse, it always feels like the hackers have the upper hand, that they are one step ahead, unleashing ‘zero-day’ attacks that no-one has seen before.

Compounding the problem is our increased dependency on technology, and devices in particular, that offer anytime, anyplace access to applications and services we now consider business-critical.

They make us more efficient and productive but they also increase threats by providing more entry points into business networks for cybercriminals to exploit.

Companies must face the hard truth that there is no way to fully eliminate cybersecurity risk. On the other hand, there are steps that organisations can take to prevent multiple attacks or mitigate the consequences if an attack occurs. 

Rate the risk

You can’t keep pace with all the threats, so work out what poses the biggest danger to your business and build a risk management regime around it.

It could be confidential company information that would cause catastrophic reputational damage if leaked or stolen; or transactional data that would lead to direct or indirect financial loss if exposed.

Risk rate every area of your business and align security measures to the most vulnerable. You have to ensure resources protect the valuable information that matters most to your organisation. 

Protecting your technology is key, most businesses now run on IT systems, local and external, accessed over networks.

With mobile and cloud services, traditional network perimeters have been blurred, which makes it harder to protect the systems that store the data hackers want to steal.

You need in-depth defence, multiple layers of protection across multiple entry points with appropriate skills to manage them, ensuring potential vulnerabilities are always ‘patched’, that antivirus is in place and systems are configured securely.

Managing the weakest link

People are often the weakest link in an organisation’s security. You have to explicitly train and educate employees on cyber risks relevant to their role.

Get them to sign a policy document, the rules and regulations that make clear what they can and can’t do with the IT equipment they use in their work.

The bad news is that businesses are pretty good at drafting policies but lax when it comes to implementing them. The best chance of mitigating risk is having policies fully embedded in the culture of the company and central to everything employees do.

Security professionals will tell you that there are only two types of organisation, the one that’s been hacked and the one that doesn’t know it’s been hacked. The serious point is that you need to pay as much attention to how you can control a breach after it happens, as protecting against one in the first place.

Policies, procedures and enforcement tools should first be focused on containing the threat, preventing it from penetrating the whole organisation, before attention turns to identifying and fixing the vulnerability to stop it from happening again.

Now that we all communicate digitally and across multiple channels, the exchange of information carries a risk of malware being downloaded into company systems and wreaking havoc on a business.

A combination of tools and policies is the best protection: software that automatically stops users accessing suspicious websites and blocks malicious emails coming in; and policies that instruct users not to click on or open anything suspicious that gets through.

Whether you do it yourself or buy it in as a managed service, you need to be monitoring your systems and services constantly.

You need software and hardware to raise alerts, and real-time analysis to explain and contain a breach.

You need capabilities in what the industry terms SIEM – Security Information and Event Management – ideally preconfigured to the specific demands of your business, whether the priority is regulatory compliance or mitigating financial loss.

Mike Harris is a partner in cyber security services at Grant Thornton

Get our Daily Briefing with the morning’s most important headlines for innovative Irish businesses.