It’s no surprise to say that we have become a technology-reliant culture. Every organization, whether operating in the public or the private sector, relies on technology in some way as part of its processes. As a result, keeping this information secure has become a focal point for organizations.
It’s important to understand cybersecurity is not like “normal” security. There is no single gatekeeper whose role is to keep our cyber systems safe. The responsibility belongs to everyone in an organization but it is down to those in leadership positions to stress the importance of cybersecurity to their employees and develop a strategy that is tailored to the risks of each organization.
How much information do you share?
A large part of avoiding cyber-attacks comes down to awareness. Are you aware of how much information you’re already sharing publicly and how this information can make you vulnerable? Are you aware of how your behavior can impact the larger organization?
Here’s a scenario that could happen at any organization. An employee uses social media to promote the organization’s attendance at a conference. She gets an email the next day from someone claiming to be journalist from a well-known publication who was at the conference but unable to speak with her there because he was busy with another assignment. He asks her to email him a few responses to questions he has attached. The employee has no reason to believe this to be anything other than a legitimate request, so she opens the attachment, reads the questions, types up a response, and sends it on.
This seemingly innocent situation may be just that - a great opportunity to publicize the organization’s work. Alternatively it could be one of an increasing number of cyber-attacks known as “spear-phishing.” These are carefully crafted emails that make use of a person’s personal information, often harvested from social media and websites. The purpose is to make the email entirely believable and for the target to click on links or attachments in the email.
Such attacks typically seek the recipient to download malware, malignant software that might be designed to grant control of the user’s computer to the attacker, allowing them to gain access to the organization’s wider computing infrastructure or to sensitive information held on the user’s computer. Or it could be using ransomware, encrypting the user’s computer data files so that they become unusable unless they hand over payment in return for unlocking the data. These are just two types of attacks that are seen every day by security specialists.
View our video to learn more about how individuals can be targeted by such attacks.
Of course, the answer here isn’t to prevent employees from using the Internet and email. It is not a suggestion to use less technology, but the example illustrates what can happen when employees don’t appreciate the risks or haven’t given thought to the kind of precautions they should take.
Vigilance and awareness
Senior managers also need to prioritize cybersecurity. One of the fundamental measures to ensure good cybersecurity is leadership. People at the top of an organization need to communicate the importance of keeping the organization secure and creating a culture of security awareness. They must draw attention to the need for vigilance and awareness, asking people to think about the personal information they share the “digital footprint” that everyone now has.
Leaders must also drive culture change, encouraging the organization to think about security and risk, discouraging complacency and belief in security absolutes. They need to acknowledge that cybersecurity attacks will happen frequently, and that the attackers will occasionally be successful. So leadership is needed to prepare and respond to such events, including support for investment in measures necessary to reduce the chance of succumbing to an attack and its impact. When you consider that suffering a breach is almost a certainty, and with the average cost of a data breach estimated at $4 million to $6 million, such investment seems a small price to pay.
About this author
At CGI, security is part of everything we do. Our end-to-end offerings include consulting and training, integration and implementation, managed services and cyber insurance services. Through our global network of Security Operations Centers (SOCs) with state-of-the-art infrastructure operating 24/7/365, we have a 360-degree view ...