Cyber Security Month: The Importance of Shared Responsibility
In insight / By Phil Muncaster / 23 October 2019
All through October, vendors, non-profits, enterprises and other industry stakeholders held awareness-raising activities designed to improve cybersecurity for both organisations and consumers in collaboration with Cyber Security Awareness Month. These initiatives took place across Europe and the US, highlighting just how important IT infrastructure and services have become to socio-economic wellbeing.
In Europe, the key message from CyberSecMonth is of security as a shared responsibility. Because only if consumers, businesses and technology providers work together can they hope to build a more secure digital world.
Cybercrime went professional many years ago, and today’s underground economy is a vast multi-billion-pound network of buyers and sellers, hackers and fraudsters; offering stolen data, criminal services for hire and much more. As if that weren’t enough, nation state hackers are increasingly getting involved in money-making ventures. The UN believes North Korean operatives have managed to amass $2 billion for the despotic regime through various online attacks.
In response, organisations’ IT teams are struggling to mitigate cyber-risk with limited human resources, as digital transformation projects increase the corporate attack surface even further, and compliance requirements become more onerous. A UK government report from earlier this year revealed that 60% of mid-sized firms and 61% of large enterprises suffered a security breach or cyberattack over the previous 12 months. Insurer Hiscox reckons the figure is around 55%, with only 10% of organisations across Europe and the US classed as “experts” in terms of their cyber-readiness.
Against this backdrop the message from CyberSecMonth of shared responsibility makes complete sense. We can interpret this in three different ways:
The Consumer Angle
Breaches are bad. They hit the corporate bottom line in remediation, clean-up and investigation costs and potential impact on the share price. But the biggest knock-on effect can come from the way they affect consumers; class action suits, customer churn and damaged brand reputation are not uncommon following a serious incident. Yet improving corporate security is only one piece of the puzzle.
Consumers must also play their part in securing the digital world. If they don’t, then their PCs, mobile devices and smart home endpoints could be hijacked by hackers to launch DDoS, and other bot-powered attacks on firms. If they don’t practice secure password management, then their online accounts could be breached in credential stuffing campaigns which can also impact brand reputation — even if the company in question is in this instance not to blame.
Companies can help here by scanning for known bad IP addresses, educating their customers about security risks and how to spot phishing emails, and even subsidising free Anti-Virus protection. But ultimately, consumers must understand that the shared responsibility also applies to them.
Sharing Responsibility Company-Wide
We can also talk about responsibility from a corporate-wide perspective. Security-by-design is the goal, although it may require painful cultural change to achieve. It describes an approach in which all employees from the boardroom down understand the value of the data they hold and the repercussions for the company if it is stolen or scrambled with ransomware. The buy-in of senior executives is crucial here in order to release funding for important security projects and ensure that strategically, all new services are designed with cyber and data protection built-in from the start.
It’s somewhat concerning that although 65% of respondents to a recent Microsoft poll identified a senior executive as main owner of cyber risk, only 17% said they’d spent more than a few days in the past year focusing on the issue, with 51% spending several hours or less.
Tech Providers and Corporate Consumers
Finally, shared responsibility means both corporate consumers of IT and tech service providers/manufacturers doing their bit to enhance cybersecurity. When it comes to the cloud, the limits of the provider’s responsibilities have been clearly delineated by Microsoft, AWS and others. However, worryingly, the majority of EMEA IT leaders responding to a 2017 poll incorrectly claimed that their public IaaS provider is responsible for securing customer data in the public cloud (64%), securing applications (61%) and operating systems (60%). In fact, all three are the customer’s responsibility. In a similar way, outsourcing to a managed service provider doesn’t mean handing over accountability. Due diligence is crucial before choosing a partner in this space, and GDPR regulators will not be impressed by attempts at buck-passing in the event of a serious incident.
There’s also an increasing concern among governments and IT executives over the quality of IoT systems, which often roll off production lines with little attention paid to security. The UK has led the world in developing a code of practice for the industry, now formalised as the European ETSI TS 103 645 standard. It will require participating manufacturers to develop a vulnerability disclosure policy and forbids universal default passwords in a factory-fresh kit.
The bottom line is that corporate CISOs are not the only ones responsible for securing the connected digital world which keeps planes in the sky, hospitals ticking over and global financial systems running. But they still have a vital role to play.
If you'd like to speak to our knowledgeable team about your current or future security strategy, contact us today.