March 28, 2019
March 28, 2019
Although security leaders may be effective at reducing the impact of cyberattacks within their own four walls, board directors should be aware that malicious insiders are still one of the top two threats, according to our research. It is a fact that serves as a timely reminder for all organizations—protect yourselves from the inside out.
According to the Accenture Ninth Annual Cost of Cybercrime Study, organizations have experienced sizable increases in phishing and social engineering attacks, up 16 percent; ransomware, up 15 percent; and stolen devices, up 13 percent in just one year. These are all areas of concern that give credibility to the argument that humans are still the weakest link when it comes to an organization’s cybersecurity defenses. And with 71 percent being vulnerable to hacking groups using spear phishing, a 55 percent spam rate, and 669 million new malware threats in the last couple of years, a momentary lapse of concentration can prove highly damaging. The prospect of 200 billion connected things by the year 2020 means this vulnerability is only going to get worse for your company and its employees.
Today, the security function is largely centralized and its staff are often excluded when new products, services, and processes—all of which involve some sort of cyber risk—are being developed. This siloed approach can result in a lack of accountability across the organization and a misplaced perception that security isn’t everyone’s responsibility—only 16 percent of CISOs in our survey said employees are responsible for cybersecurity today.
At a granular level, even where organizations regularly pressure test their resilience, people can invalidate red and blue team exercises. They may have difficulty behaving like a real adversary, or they develop “blue team fatigue” following a constant stream of demoralizing attacks. Worse still, they may develop unhealthy divisions and fail to communicate effectively before, during, and after an exercise.
As a result, the board should assume the task of holding the c-suite accountable for putting people first as a security priority throughout the organization.
To tackle insider threats and foster a culture of accountability, boards should ensure that CEOs rally human resources, talent development, legal, and information technology teams to work closely with the security office and business units. Here are five ways directors can suggest that their organizations take on this risk from within:
Creating Security-first People
People are often unaware of cybersecurity threats, think they’re already protected by existing procedures, or underestimate the repercussions of a security breach. And while there is no single behavior that keeps people secure online, the vulnerabilities posed by humans can be effectively addressed.
Accenture has developed a Human Vulnerability Assessment—a diagnostic tool based on a data-centric approach. It identifies the highest priority areas to help people stay safe, the immediate actions and interventions needed to improve their weaknesses, and offers benchmarks to make comparisons across industries or geographies.
If you expect to fully protect your high-value assets, keep “the people dimension” in mind. When security behaviors are better monitored and managed, people can be part of the solution, not the problem.
Bob Kress is a managing director at Accenture Security where he is the co-chief operating officer and the global lead for quality and risk.