On Cyber security: Executives may be the weakest link
The Weakest Link is a popular TV game show that originated in the UK. In the show, nine contestants work as a team to try and win as much money as possible by correctly answering questions thrown at them in quick succession. If a person answers the question correctly, the next stage in the chain is reached. If a person answers the question wrong, the money is lost and the chain starts again. At the end of each round, the contestants must vote for who they thought was the “Weakest Link” in the round that just occurred, that is, the person they felt had the most wrong answers. The person with the most votes is eliminated.
This illustration can be used to describe how companies practice cyber security to protect their most valuable data. A chain of several technologies, people and processes is put together to create adequate protection from data breaches, frauds, hacks and other cyber-related attacks. This is because cyber security has grown to become one of the biggest risks facing big businesses globally. According to privacy rights clearing house, a nonprofit consumer education and advocacy organization, over 5,000 cyber breaches have been recorded since 2005 costing companies billions of dollars in losses. A more recent example of the damage this can do to an organization is Yahoo, the popular media company. Between 2012 and 2016, Yahoo reported 4 security breaches in which almost 2 billion yahoo accounts were hacked. These events surely affected the company’s profitability which led to a revaluation and possible sale to Verizon. The reality of cyber threat cannot be over emphasized.
For the professionals trying to prevent these attacks, the emphasis has always been on providing layered security — in which several security tools and processes are implemented across the organization thus providing security in layers (just like onions). Layered security gives comfort that even if one layer fails, another one will suffice to protect the organization. This naturally leads to the question of which layer provides the weakest link. Over the years, consensus has been that people within the organization, the general staff, are regarded as the weakest link in cyber security of an organization. This has been termed as “insider threat”. As a result, organizations spend a lot of time, effort and money in providing staff awareness programs, background screening, whistle-blower exercises to counter insider threat. But by focusing so much on the ordinary staffers, we may have missed the real weakest link- Executives.
Experiences from my cyber security career hint that executives, not staff, may be the real weakest link. Very few executives relate to or understand the jargon presented to them in many cyber security reports or training. Most executives still struggle to understand information technology, which is the base platform on which cyber security operates on. Many executives are allowed to flout the company information security policies unchallenged. In fact, security layers are removed from some executives for the sake of convenience! These realities make it even more plausible that executives within the organization are more exposed than general staff.
What To Do?
In order to eliminate this weak link, security teams need to provide rigorous security training and awareness to executives. As with the TV show, the weakest links are usually contestants who have the lowest body of knowledge (or in some cases, lower IQ). So by increasing your body of knowledge, you reduce your chances of being the weakest link on the show. In the same vein, if executive knowledge of cyber security is actively and constantly increased, their chances of being the weakest link will greatly reduce. Conducting executive security awareness workshops quarterly instead of annually, ensuring executives are fully covered in all organizational awareness campaigns via emails, wall papers and desktop banners, will improve their cyber security knowledge and make them less susceptible targets.
To conclude, information security should be aligned to business. One reason why executives (and staff) still struggle with this topic is insufficient alignment with the business. Once cyber security is communicated in the language of the business- profit, revenue, risk, reputation, regulatory etc, more people will understand what needs to be done to safeguard the organization’s data. Less jargon equals more protection.
Photo Credits:
Figure 2: https://www.capgemini.com/blog/capping-it-off/2015/08/layeringinformation security-controls
Figure 3: http://www.goucher.co.uk
** Article originally posted on my Linkedin page
