Resilient organizations are high on trust. They trust each other, they trust their processes and they trust their practices. It’s this trust that helps them deal with unexpected events and recover from setbacks. And with so much work now done on online, it often comes down to trust in online practices.
The U.K. National Health Service recently fell victim to a hack that led to the cancellation of 20,000 operations and appointments, and the latest software at seven global banks could not stop the partial or complete shutdown of multiple operating systems. EEF recently found that in 2017, almost half of U.K. manufacturers were subject to cyber-attacks and that one-third were nervous of digital improvements. The warning from EEF chief executive Stephen Phipson could not have been clearer: “More and more companies are at risk and manufacturers urgently need to take steps to protect themselves. Failing to get this right could cost the UK economy billions of pounds [and] put thousands of jobs at risk.”
Despite this report and evidence of recent high-profile hacks and breaches, cybersecurity still is often seen as someone else’s responsibility in the workplace. To date, the formal security response has been largely transactional. It has been based on identifying and stopping incoming attacks and assessing preparedness through means such as penetration testing, education and binary assessment. The problem with this approach – and it is one cyber specialists recognize – is that there is no one silver bullet.
Developing organizational resilience demands collaborative decision-making; flexibility in terms of ideas, views and actions; and innovation in terms of imagining and creating. While many security teams already possess these attributes, they are internally focused, with an imagined wall between cybersecurity and the rest of business. Security professionals need training to change that perception and encourage responsibility and accountability at all levels.
Out of Sight, Out of Mind
Once the business is deemed safe, the appetite to apportion more resources diminishes. Understandably, money goes to other deserving causes: enhancing the customer experience, investing in projects, recruitment, etc. Ironically, these areas the very ones that are often the most vulnerable to attack. Cybersecurity is a strategic enabler.
Develop the Culture
Security has to move beyond infrastructure and requires a shift in culture. This is difficult; business units often struggle to share information, are hierarchical by nature and are protective regarding their bottom line. Cyber teams need training to change and become much more than the techies in the basement.
Delivering Individual Accountability
The great majority of malware attacks start with an email to an employee, and cyber practice in the home mirrors cyber practice at work. Until we can train employees to take responsibility for their operating environment, cyber attackers will always find an easy target. To meet this challenge, one client came up with the idea of inviting spouses and families into the office to brief them on cyber threats in the home. This approach, combined with a non-uniform shredding day, placed cybersecurity into day-to-day conversations and encouraged a sense of advocacy.
Each organization should develop a training course of action based on its unique workplace situation. This course should include identifying employees who are cyber-competent and those who are not, yet believe they are.
Warren Buffet told CNBC last month that “cyber is uncharted territory — it’s going to get worse, not better.” Better managing this challenge requires training and the development of a resilient workplace culture.