André Meyer, the lead cybersecurity expert at Accenture Luxembourg explains why organizations should be cyber-resilient, why they should take an honest and accurate view at their current state and focus on staff training; and how a lack of time, money, or leadership is not an excuse.
Photo: According to André Meyer, cybersecurity should be considered as more of an investment than an obligation / Credits © Accenture Luxembourg
How would you define cyber-resiliency?
AM: It is a mix of processes and measures. It first includes having appropriate technology that prevents your organization from being at risk. For example, if your company is running an old system, it can easily and very quickly become a target . Your organization should remain uninteresting to hackers.
Secondly, if your company is a big name and has very valuable assets, then it should implement appropriate measures to secure its systems and assets.
The human factor is the third important part of cyber-resiliency. You can have all the best technology in the world, but if within your organization someone makes a mistake and cannot handle it, or leaks information, it can easily lead to a security issue.
In other words, cyber-resiliency means thinking about what you want to do to protect your company, its assets, and its people. It is also about implementing the right technology, as well as defining and employing the right mindset to manage that technology.
How do you think employer behavior can drive cyber-resilency?
AM: First you need to make people aware of the fact that they can be a part of security risks, but more importantly, they should be told that they might be a part of the problem, but are just as much a part of the solution.
They should be aware that they can become a target for cybercriminals; they may hand confidential and valuable information to the wrong people. Therefore, you need to inform your staff about these threats and security risks. They further need to be educated on how to identify the situation and how to react appropriately if they are targeted.
Companies also need to customize their training to better suit the roles and functions of their staff. These include consistent and evolving awareness training programmes, the integration of thestaff into the security process from the very beginning, as well as relevant information on where they can be targeted within the attack chain.
If you know what you represent for your attackers, it becomes quite easy to identify when and how they will target you.
Given this, what message do you have for your staff?
AM: What I tell my staff is – if you are facing an ongoing threat, a malicious party has put you on their map, then being passive is not sufficient. Deleting, for instance, a suspicious mail is not enough. You should inform your security team and help them understand how you have been targeted.It is people’s approach towards security threats that determines a company’s cyber-resiliency.
How can HR departments be involved in a company’s cyber-resiliency plans?
AM: Cybersecurity only works if it is integrated within the whole company and done across all departments. If you put the entire focus and responsibility on the IT side only, you are missing the point.
HR departments are in charge of the whole human capital of the organization, they are one of the most crucial actors in the company. As they recruit people, they are the gatekeepers that keep the company safe. Hence, they should pay attention and identify employees who could be potential threats. Lots of cyberattacks are done by people, and those are easier to eliminate from the inside by paying closer attention.
How do you train your staff and which training programmes do you suggest?
AM: A good resiliency programme should include basic online training that makes gives people all the information they need on the subject. It should give them a broad overview of the subject, and make them aware of what kinds of attacks they may face.
It should also include more specialized and dedicated training, based on concrete examples of risks and threats that your staff might be confronted with during day-to-day operations.
How often should these trainings take place?
AM: A yearly session is a good starting point for basic training. Because cyber attacks can remain unchanged over the years, it is also about refreshing people’s memories about what they have previously learnt.
The aim is to make them aware of recent cases and threats that might potentially appear under new guises in changed circumstances. For instance, the current situation where people are working from home due to the pandemic can lead to new cybersecurity risks.
Whatever the technology you buy, you will always have people working on it and with it, so if these people are not sufficiently aware or trained, they can become the problem. Even the best technology in the world cannot prevent human errors.
For that reason, you should invest in your workforce, and this investment should not be neglected.
What are the main impediments against cyber-resiliency?
AM: Lack of money and time are the most common hindrances. But when it comes to implementing and committing to a cybersecurity policy, lack of time is not an excuse. You need to commit time to imporve you cyber-resiliency.
Moreover, everyone in the organization is focused on saving time and making more money, so cybersecurity is often not invested in, as it is not a direct revenue generator. It is usually seen as a burdensome obligation, rather than an essential part of business.
Lack of leadership is also a common barrier: companies should be aware of the risks ineffective leadership poses to their cybersecurity. Further, people in leadership roles should commit to cyber-resiliency andawareness.
So companies must take an honest and accurate view at their current situation. Based on that, they can easily identify the main issues in governance, process, technology and workforce that they need to address.
Most organizations that face a cyberattack or a breach are usually too confident in their protection processes and measuresand they take the wrong cybersecurity decisions.
Hence, cybersecurity should be considered as more of an investment than an obligation.
And I would like to say that cybersecurity is not an insurance policy, it is an investment. You need insurance when something goes wrong, whereas an investment is something that gurantees returns.
Clicking on a malicious link might create a breach that can cost on average, 680,000 euro to the company. By comparison, a training programme educating on cyber risks will just cost 80,000 euros.