It happened again. On December 17, 2019, LifeLabs, Canada’s largest private laboratory of diagnostic testing for health care announced that it had suffered a cyber attack that involved unauthorized access to their computer systems and which compromised the personal information of about 15 million customers, primarily in the provinces of British Columbia and Ontario.
The cyber attack occurred last October and LifeLabs paid a ransom to retrieve the stolen data.
For businesses, this is just another reminder that cyber risk is everywhere and as cyber-attacks become the “new normal”, it’s high time to rethink their cyber security strategy.
According to Carbon Black’s Second Canada Threat Report, 88% of Canadian businesses reported suffering a data breach during the past 12 months. The report also found a significant increase in the overall attack volume in comparison to last year as well as their level of sophistication. Even though companies plan to increase their security budget in 2020, many of them are still struggling to build a proactive and holistic strategy embedded into operations and culture.
The main cause of this issue is linked to how cybersecurity is treated and perceived within organizations. Most of the time, cybersecurity is just a back-end job and is usually seen as a business blocker. Historically, organizations have hired CISOs (Chief Information Security Officer) or security professionals to complete technical tasks and do not see it as a strategic asset.
Now that businesses are accelerating their digital transformation efforts by shifting to cloud architectures, they need to change radically their security strategy by breaking down the walls that keep this key department isolated from the business.
Below are four things to take into consideration to make cybersecurity a business priority:
1. Reframe cybersecurity as a business enabler
Cybersecurity teams are often isolated from business and overwhelmed by operational routine tasks. In addition, cybersecurity is often considered as an overhead cost rather than a business enabler. When security works closely with business, it helps support agility, innovation, and growth by enabling to win customers and retain customer loyalty, increase productivity, boost brand equity and give the confidence to expand into new markets or develop new solutions. When aligned with business goals, security can generate a positive ROI and empower organizations to be better at what they do and innovate faster than their competitors.
2. Position cybersecurity as an influencer
Giving cybersecurity the power to influence your stakeholders within your organization can be beneficial in many aspects. The first step would be to decide the type of influence you want security to have depending on your goals and security needs as well as determine security KPIs. Then, you can give your CISO or Security Director the authority to participate and influence business decisions in order to drive change internally. If there is some reluctance from business leaders to collaborate with your security team, you can incentivize this initiative to encourage teamwork.
3. Create a culture of cybersecurity
Today, cybersecurity is everyone’s responsibility and is no longer relegated to IT professionals. With the rise of cloud technology, businesses and employees have increased their use of mobile devices such as laptops, tablets, and smartphones and consequently, have increased the risk of cyber threats. Even if your organization is equipped with cutting-edge security technology and has implemented security policies and governance, the most powerful way to protect your organization is to promote a culture of cyber awareness. This culture needs to come from the top of your organization to be efficient. If everyone is aware of what suspicious activities look like, how to identify a phishing email or a malicious website, your employees will become your best firewall and reduce risk. Creating a cybersecurity culture does not happen overnight, but when the C-suite demonstrates a willingness to create a culture of cyber awareness, then it becomes possible.
4. Work with a managed security service provider (MSSP)
The growing complexity of the security ecosystem combined with budget constraints and a skills shortage has made the work of IT security professionals difficult to ensure proactive business protection. That is why working with a managed security service provider might be an invaluable resource to give your in-house security team the time, knowledge and talent they need to be efficient and more business-focused.
An MSSP can also help organizations simplify their vendor ecosystem, meet compliance needs and build a solid cybersecurity strategy that will meet a business’s specific requirements.
With the advent of the digital era, trying to build a protection wall around your business is no longer sufficient. As we get more connected, cyber threats will become increasingly more numerous and sophisticated. Cybersecurity is more than a means of defense and to demonstrate its real business value, it needs to be part of the company’s strategy and culture and supported by the C-suite.
Now might be the time to empower your security leader and team to establish digital trust and let them become a key component of your organization’s success.