Cyber security, staff and the cock-up theory

Are main board directors concerned about the US NSA and the PRISM program? Not too much, it appears, and the same goes for attacks by criminals or competitors. The big cyber security problem, a survey shows, comes from the staff.

  • 11 years ago Posted in

Though the conspiracy theory is often attractive, even strangely romantic, it is usually the cock-up theory that applies when it comes to the primary causes of cyber-insecurity. That, at least, is the view of main board directors in the recently published  survey, ‘Boardroom Cyber Watch 2013’.

And in a world where cloud services are now a mainstream and growing part of the IT resources mix for most businesses, security problems caused by staff can far too easily grow to be a major issue.

The cock uperers in question are, the survey showed, are most likely to be a company’s own staff. Despite their having been many attention-grabbing headlines about cyber-threats from external attackers, with the leaks about the US NSA and its PRISM programme being really lush icing on the the cyber-threat cake, the survey showed that company bosses in fact see their own employees as the greatest threat to corporate data and computer systems.

That is the view of 53 percent of the 260 board directors, IT directors and other technology professionals polled for Cyber Watch, an international survey of senior executive opinion conducted by IT Governance, a specialist in IT governance, risk management and compliance expertise. The threat was ranked ahead of risks from criminals, at 27 percent, state-sponsored cyber-attackers which, given the brouhaha surrounding the PRISM allegations, the survey put at a remarkably level-head 12 percent, and competitors at just 8 percent.

The cockup risk, of course, comes from staff being sloppy with their work, or perhaps trying to complete tasks too quickly, rather than being deliberately malicious. After all, while adhering to governance and compliance procedures can be vitally important to the business, they can sometimes be a hindrance in completing their work for the staff.

And like the white van drivers who cannot keep to their allotted timetables without breaking the speed limit, some governance practices may require circumnavigating to complete a job at all.

It is certainly possible to look at that figure of 53 percent staff created security issues and suggest that many businesses should therefore start to look at their staff training programmes, and the workload placed on staff members.

This is not to down-play the other cyber-security threats these businesses can face. The survey has confirmed the high level of cyber-threat facing today’s organisations, with 25 percent of bosses saying they have received a ‘concerted attack’ in the past 12 months. However, the true total may be higher, as over 20 percent state they are unsure if their organisation has been subject to such an attack.

The survey does seem to show that many board directors are still inadequately informed about cyber-risks. For many of them, security is still something of an after-thought, with the survey showing that while the majority said their board receives ‘regular’ reports on their organisation’s IT security, a whopping 52 percent said that such reports are received, at best, annually.

Only 5 percent say reports are submitted daily, with 11 percent being submitted weekly and 33 percent monthly. With cloud services moving more mainstream, monthly reports must now be considered completely insufficient, with even weekly reports stretching the ability of a business to keep tabs on security issues in an environment where the increasing collaborative capabilities of cloud services might well help an unchecked security issue spawn itself around a network of business partners, suppliers and customers with remarkable ease and speed. 

Furthermore, despite cyber-threats potentially impacting many mission-critical business operations, only 30 percent of respondents said that having an understanding of current IT security threats is a prerequisite for board-level job candidates. So this situation is unlikely to get better too quickly, which is particularly risky in an era of ever-flatter management structures.

Alan Calder, Chief Executive of IT Governance, says: “In the face of the rapid development and deployment of new cyber-threats, such infrequent executive oversight of IT security status seems alarmingly casual. Companies are not ignorant of the risks: 77 percent of bosses told us their organisation has a method for detecting and reporting attacks or incidents. However, in the boardroom, many companies still appear too removed from the action for directors to meet their governance obligations.”

Yet the survey reveals the competitive advantages that flow from effective information security. Over 70 percent of respondents say their customers prefer dealing with suppliers with proven IT security credentials, while 50 percent say their company has specifically been asked by customers about its information security measures in the past 12 months.

Calder says: “The best way for organisations to prove their cyber security credentials is to comply with, and be certificated against, ISO 27001, the global best practice standard for information security management. This lets you signal to customers anywhere in the world that you have a robust method for addressing the entire range of risks associated with systems, people and technology.

 

On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.
Commvault provides cloud-first organisations with greater choice and flexibility to protect and...