Cyber Security

Cyber Security

How do I… Talk to my CTO about cybersecurity?

Are you worried about how a cyber attack could affect your business? Jeremy Rasmussen, CTO of cyber security specialist Abacode, explains how best to talk to your tech team about cyber security.

In a perfect world, CEOs would never have to think about hackers stealing sensitive data or breaking into company networks.

Yet even with cybersecurity making the headlines, there are many who aren’t making it a priority. Many CEOs simply hand all responsibility to IT departments to oversee both IT and cybersecurity.

As cyber-attacks become increasingly more sophisticated and regulatory fines higher than ever before, this simply isn’t appropriate or effective.

Studies have shown that up to 67% of UK businesses were hacked in 2016. To take control of their cybersecurity situation before it’s too late, CEOs must lead the effort by having frank conversations with their internal IT teams.

Here are some of the key questions you should be asking your CTO and why...

When did we last complete a risk assessment?

The amount of data being generated and stored by companies is growing exponentially. At the same time, hackers are becoming increasingly more sophisticated in launching whole scale cyber-attacks.

As such, even the most detailed risk assessments will be redundant after a short amount of time. Cohesive planning for forestalling and responding to cyber-attacks should be an ongoing task, and not completed by the internal IT department. A trusted external Managed Security Service Provider (MSSP) will ensure risk assessments are always relevant. Security must be set from the beginning, rather than bolted on as an after-thought at the end.

Do we have visibility of our networks 24/7?

The cybersecurity measure used most often by businesses is firewalls. While firewalls block certain attacks, they have serious limitations – from abusing human nature to access networks to failing to provide alerts when an attack has been attempted.

Companies must have eyes across the entirety of their network to proactively deal with cyber-attacks. Best practice is to introduce a host and network-based intrusion detection systems (IDS) along with security information and event management (SIEM) software. As SIEM generates lots of intelligence, a fully trained security operations centre (SOC) is essential to monitor the network 24/7 to inform executives when a major attack has taken place.

Do we have the right skills-set to deal with cyber-attacks?

It’s predicted there will be a cybersecurity talent shortage of 1.8-million globally by 2020. Recruiting, training, and retaining cyber talent is difficult and requires heavy investment. CEOs must begin putting their money where their mouth is if they’re serious about protecting company data. Most won’t be able to maintain a full cyber team so a trusted MSSP to review security architecture and monitor countermeasures is likely the winning strategy.

Will we be GDPR compliant by May 2018?

Very few CEOs are confident they will be GDPR-compliant by May 2018 and nearly 90% of companies have poor structures in place when it comes to cybersecurity. It’s common practice that internal IT teams are responsible for governing their own cybersecurity systems but this simply wouldn’t happen in any other industry! A shake-up of this practice is needed, otherwise companies risk huge non-compliance penalties as well as cyberattack.

GDPR will necessitate not only proper governance but also understanding the who, what, where, when, how, and why of your data - all firms will require this level of privacy audit and construction of a plan to security the data.