Cyber Security: Whose Responsibility Is It?
Cyber security has become such a widespread concern for organizations of all types and sizes that it requires dealing with in a systematic manner. The high-profile nature of certain cyber attacks – Facebook, Google, British Airways, Equifax, Anthem, Home Depot, Yahoo, Sony, and Uber, to name a few – hides the fact that while the form, size, and intent of attacks tend to vary, the threat looms over private, public, and not-for-profit organizations alike in every corner of the world. Colleges and universities have fallen prey to costly ransomware attacks, havoc has been wreaked on banks in Italy, Canada, and Bangladesh, and Russian hackers hijacked the 2016 federal election through a simple phishing scam. Such attacks are alarmingly easy to design and deploy. Phishing, for example, requires only a single distracted click on a link in an email or text. Once the automated malware has gained a foothold, IT networks can be crippled in a matter of minutes. And that is just one of the many dangers lurking out there in cyber space.
However, which part of the system is responsible for maintaining cyber security on such a level that it ensures safety of all entities involved? On a macro level, governments have a responsibility to put in place comprehensive national cyber security strategies to protect critical infrastructure, according to Sir Julian King.
“Regulators can help by setting clear and predictable frameworks and creating the right incentives, but rules alone are not enough to transform the current state of affairs,” states King. “It cannot rely solely on governments telling organizations what to do, but the private sector also has to step up and assume part of the responsibility seeing that as much as 95% of cyber threats are aimed in their direction.”
Nonetheless, no matter how much governments are working to enforce transparency and security, businesses are still reluctant to recognize and react to such a significant threat. Just looking at the typical IT budget is enough to see how aware the companies are of the gravity of the situation. Even though companies across all sectors rank cyber security as their most pressing issue, and despite an upward trend in spending, the typical cyber security budget is profoundly underfunded. According to Steve Vintz, IT budgets are typically 3-7% of a company’s revenue, and security budgets are typically 5% of IT spend. In other words, the average company allocates just over 1% of revenue safeguarding against potentially catastrophic cyber attacks.
But there might be a way around this particular hurdle.
“Shifting the view of cyber security as an unavoidable cost to one where cyber security is sought after as a way of gaining competitive advantage, and one where businesses also shoulder their responsibility for keeping customers safe – that is what will help the entire system move forward on this issue,” says King.
The way to do that is to make it hard on the attackers to perform security breaches by building the IT network practically impenetrable – through employing both the necessary technological advances and human effort, by raising awareness on the dangers of unsafe internet behavior and by recognizing and disrupting active attempts of cyber attacks.
But who should take on this responsibility within a company? That’s the big question.
The financial sector often relegates cyber security to the IT department, with the CFO punting the ball to technical divisions and managers, then washing their hands of further responsibility. However, while traditionally tucked away under the IT umbrella as a SECURITY concern, many if not most of the consequences of cyber attacks have severe and long-lasting FINANCIAL implications. A 2017 study by Centrify and the Ponemon Institute pegged the average cost of a data breach at $4 million, the average stock price drop at 5%, and the average revenue decline at $3.4 million. Not to mention the embarrassment of suffering a cyber attack – the company looking weak and ill-prepared, the erosion of consumer trust and confidence, and a tarnished reputation and brand – much less lawsuits. Target paid $18.5 million after a cyber-attack put the data of sixty million of its customers in peril, and Anthem was slapped with a $115 million penalty.
So the problem lies in the communication gap among leadership roles.
“Cyber resiliency starts with the board because they understand risk and can help their organizations set the appropriate strategy to effectively mitigate that risk. However, while CISOs are security specialists, most of them still struggle with adequately translating security threats into operational and financial impact to their organizations – which is what boards want to understand,” says Anthony Dagostino, global head of cyber risk with Willis Towers Watson.
“To close this communication gap, CISOs [or CTOs] need tools that can help them quantify and translate the vulnerabilities uncovered from their cyber security maturity assessments. These tools enable them to better communicate the risk to the board, seek adequate budget, and enable the board to provide meaningful guidance.”
Therefore, the logical conclusion is that much like cyber security isn’t just the government’s responsibility, but it also includes all types of organizations, it isn’t the responsibility of one department either – it needs to be built into how a business operates.
“From finance, to HR, to marketing, to operations – everyone needs to be a good cyber steward. It’s really all hands on deck to make sure the entire organization is adhering to the right protocols, practicing good cyber hygiene, and understanding how their specific job plays into the cyber landscape, “ states Tim Brown, VP of Security at SolarWinds MSP.
Cyber security starts with each individual user’s responsible behavior in cyber space. Understanding that each entity of the system is responsible for their actions because they influence all the other parts of the machine is just the first step toward making it a safe environment for both individuals and organizations.