Top five cyber security mistakes
Recent headlines confirm that cyber attacks are growing in scale and incidents are on the rise.
Organizations are increasingly vulnerable as a result of technological advances and a changing workplace, including remote access, big data, cloud computing, social media and mobile technology.
The amount and importance of data continues to grow, as does the sharing of information via online networks. Organizations increasingly open their IT systems and lose direct control of data security.
Today, cyber security is no longer just an IT issue; it is a challenge for the leadership of any organization.
Rather than focusing on technology alone to address these issues, it’s critical that management, boards and shareholders understand the most common cyber security mistakes so they can adopt a flexible, proactive and strategic approach to building an informed organization.
KPMG LLP recently surveyed 100 primarily C-level and senior executives in the technology industry for our 2014 Technology Business Outlook. Technology executives continue to believe that security is the biggest challenge to businesses adopting Cloud, Mobile or social media technologies and almost two-thirds expect their company to spend one to five percent of their revenue on information security over the next 12 months.
With data security being one of the top concerns of business leaders, including many of our clients in the Denver/Boulder market, particularly telecommunications and software companies, we’ve compiled five common cyber security mistakes that company leaders should work to avoid.
Most common cyber security mistakes
KPMG has seen these five cyber security mistakes made repeatedly, often with unfortunate results.
- Mistake: “We must achieve 100 percent security”
Reality: 100 percent security is neither feasible nor the appropriate goal
Whether it remains private or is made public, almost every large, well-known organization will experience information theft. Once you understand that perfect security is an illusion and that cyber security is “business as usual”, you also understand that more emphasis must be placed on protecting your most important information assets, in addition to improving detection and response capabilities to identify and address issues as they arise.
- Mistake: “When we invest in best-of-class technical tools, we are safe”
Reality: Effective cyber security is less dependent on technology than you think
The world of cyber security is dominated by specialist suppliers, such as those that sell products enabling the rapid detection of intruders. These tools are essential for basic security, and must be integrated into the technology architecture, but they are not the basis of a holistic and robust cyber security policy and strategy. The investment in technical tools should be the output, not the driver, of cyber security strategy.
- Mistake: “Our weapons have to be better than those of the hackers”
Reality: Security policies should primarily be determined by your goals, not those of your attackers
The fight against cyber crime is an unwinnable race if it’s defined solely as an arms race with attackers, who are constantly developing new methods and technology, forcing companies to keep investing in increasingly sophisticated tools to prevent attacks. Managers need to understand what types of attackers their business attracts and why and assess their own risk profile and prioritize policies, procedures and controls based on that risk profile.
- Mistake: “Cyber security compliance is all about effective monitoring”
Reality: The ability to learn is just as important as the ability to monitor
Cyber security is very much driven by compliance with certain laws and policies. However, only an organization that is capable of understanding external developments and incident trends, and uses these insights to inform policy and strategy, will succeed in combating cyber crime in the long-term. Effective cyber security policy and strategy should be based on continuous learning and improvement to improve the company’s program and protect their highest value assets, not simply reacting to a regulatory compliance issues that may address only part of their environment.
- Mistake: “We need to recruit the best professionals to defend ourselves from cyber crime”
Reality: Cyber security is not a department, but an attitude
Cyber security is often seen as the responsibility of a department of specialist professionals, which may result in a false sense of security and may give the broader organization the mistaken idea that it’s not their problem. The real challenge is to make cyber security a concern of the entire organization. For example, this means that cyber security should become part of HR policy. It also means that cyber security should be built into the requirements for key business and information technology initiatives vs. retrofitting security into business processes, IT systems or third-party controls only at the end of such projects.
Developing a strategic, customized and comprehensive cyber security program — driven from the top — will help companies avoid these common security mistakes and build an informed and knowledgeable organizational culture.