Why technology is not the sole fix to beat the growing risk from hackers

A successful security-first strategy needs to combine the right technology with decision-making that factors in cyber risk and is embedded throughout the company to ensure gold-standard protection

Article content

The pandemic may have put a brake on much economic activity, but it has proved a massive opportunity for cyber criminals. In the U.S. alone, cyber attacks jumped by over 300,000 year-on-year to almost 800,000 in 2020, with estimated losses totaling more than $4 billion.

For many organizations, the response has been to turn to technology. However, this is not a complete solution, as simply installing technology still leaves companies vulnerable to attacks and business outages. According to Michael Kiss, head of cybersecurity at Telstra Asia, a security-first, whole-company IT approach is vital for businesses to protect themselves on the cyber front. Increasingly, a comprehensive security foundation is also crucial for companies looking to make inroads into competitive markets such as Asia.

Mr. Kiss says that only when an organization takes a three-pronged approach—making cybersecurity a core and transparent part of its operation, closely integrated with strategy and business decision-making and embedded across its culture—can it hope to protect against the growing threat from hackers. Furthermore, adopting this approach allows a company to manage risk while growing, as it can be scaled as required.

“We’ve all used IT systems where security is a bit of a blocker. To be effective it must be transparent—something that just happens in the background—or people will circumvent it,” he explains. This means reducing complexity wherever feasible, while still making it impossible for users to act in ways that increase risk—by sharing passwords, for example.

“The trap too many companies fall into is to treat cybersecurity as a technology function, with technologists making all the decisions without regard to the real-world business impact. In fact, it’s a hybrid of technology and business,” he says.

This means the business must be looked at as a whole and each business decision examined as to how it will affect the overall security and risk posture of the organization. “Always looking at how doing x will affect client data or level of risk exposure, for example, is a must,” Mr. Kiss adds.

This integral approach is linked to the third attribute of a security-first IT program: to embed a culture of security throughout an organization. “This is hard,” Mr. Kiss says. “It’s important to avoid the common mistake of believing you will change the culture of an organization. Rather, it involves looking at the culture of the business and working out how to make security part of that.”

When applied together, cybersecurity will become central to the IT infrastructure of the business, its people, and the decision-making processes. Ignoring any of these three components, however, could end in disaster.

In 2014, U.S. bank JPMorgan Chase suffered a massive cyber attack, compromising the data of 76m households and 7m small businesses. Despite having spent hundreds of millions of dollars on cybersecurity, including cutting-edge technology and employing talented staff, the breach went unnoticed for two months and remains one of the largest disclosed breaches of all time.

Nearly a decade on, however, it appears more businesses understand the need for first-class cybersecurity. According to Telstra’s own research paper The APAC Transformation Vision: Balancing Digitalisation Ambitions with Cost Objectives, it has risen up the boardroom agenda to the extent that today it is a top priority for 39 percent of the C-suite. Regulation is part of the reason. Today, in some jurisdictions such as the Philippines, there are civil and criminal consequences for board members who fail to report cybersecurity breaches, for example.

While regulations are becoming more demanding, particularly in terms of personal accountability, they are not the only reason why boards are paying security more attention. They are starting to understand that good security means good business, particularly when cybersecurity is presented as a business case.

“A business case sets out the risks and the cost of mitigation. But even then, it can be hard to find the right numbers,” says Mr. Kiss. “One chief information officer told me recently that he knew he had security risks, but he couldn’t tell the board exactly where they were or their extent. My solution was to look at the most important revenue streams and where reputation could be damaged most and define those services, along with the infrastructure and the technology needed to protect them to meet a set standard across all its markets. He was then able to go to his board and say they had a cyber risk of $400m and needed $30m to mitigate it.”

The beauty of this approach is that when organizations get it right, cybersecurity will scale with growth. “By setting standards that work across the organization you get a consistent approach to managing risk, without silos, no matter the line of business or location. It also means that as you enter new markets, the security program can easily be extended,” he says.

In this context, cybersecurity becomes less a security strategy and more a business enablement strategy. This is a huge advantage for those operating in or wanting to enter Asia, where regulations vary hugely according to jurisdiction.

“How you treat personal data in China, for example, is completely different to Singapore,” Mr. Kiss says. “By taking an overarching view and finding the common themes across all your current and potential markets, then setting reporting standards, you will remove risk and make life much easier. And that’s why a security-first IT strategy is a must.”

This article first appeared on Wall Street Journal’s custom content