C-suite puts businesses at risk by ignoring cybersecurity protocol
Written on the 1 October 2019 by David Simmons
No matter how often you change your passwords, update security protocols and software, and invest in protecting data, it can all come undone by personnel that don't comply with security policy.
As it turns out, the biggest culprit when it comes to non-compliance of cybersecurity policy is those sitting in the c-suite.
According to Bitdefener's latest 'Hacked Off!' research report there is an ongoing lack of respect among Australia's c-suite for cybersecurity protocol.
The group's research revealed 57 per cent of c-level executives are the least likely to comply with organisational policy.
That figure is made all the more concerning when read in conjunction with Bitdefender's findings that six in every ten businesses have suffered a data breach in the last three years.
Bitdefender regional director ANZ Demetrios Georgiou (pictured) says the danger of the enemy within is one of the most troubling revelations by the company's research.
"One of the most important aspects revealed by the survey is the lack of cybersecurity understanding from senior management, lack of discipline from general employees and pushing back the rules from various departments," says Georgiou.
"Unbelievably, but Senior Management and Legal are most vocal and tend to fend off cybersecurity best practices received from IT 30 per cent from all answers in ANZ nominated them on top of the chart."
"Sales teams and R&D are registering the same present, and surprisingly, HR also perceived as a body to enforce and support best practices register a 28 per cent is discussing and rejecting cybersecurity best practices."
"When the teams do not push back, they just disregard the rules."
"Who are the champions here? Of course, the keepers of the gates! Senior Management are top of the line with an amazing 27 per cent in disrespecting the rules, Marketing/Communications with 26 per cent, Sales 25 per cent and surprisingly HR, also a keeper of the gate is scoring 23 per cent."
"Legal is decent with 18 per cent of instances of being caught red handed."
Georgiou says this lack of respect for cybersecurity rules by the c-suite comes part and parcel with their lofty role.
"There is a thin line between recommended security practices and productivity, and sometimes, C-Level executives are willing to walk across it," says Georgiou.
"Whether they take advantage of their position of power to "make things happen" or demand privileged access to data that is not on a need-to know basis, C-levels don't always stick to the best cyber-security practices."
"Some examples include getting access to source code repositories even if they don't necessarily need such access, or worse yet, they put extra pressure on the financial department to expedite invoice payments for fear of losing opportunities or because they have omitted to do so in the past."
A direct result of c-suite execs and below ignoring cybersecurity protocol is the damaging effect it is having on Infosec professionals.
These diligent defenders of data are feeling the heat of increased cybersecurity threats.
Infosec professionals are suffering from breach fatigue. On average, over half (53 per cent) of endpoint detection and response alerts are false alarms, and 49 per cent of Infosec professionals say their team experience both alert and agent fatigue.
Their stress levels are high. This is compounded by the belief that 73 per cent of them think their organisation is more at risk of a cyber-attack because they are under-resourced. This is higher (78 per cent) for companies employing more than 1,000 people.
"According to respondents, resources are such a stressor that 17 per cent of Infosec professionals have contemplated leaving their job due to under-resourcing in terms of staff," says senior E-Threat analyst at Bitdefender Liviu Arsene.
"Resources are in fact such a bugbear that Infosec pros say the main obstacles to their organisations' strengthening their cybersecurity posture are a lack of budget and a lack of skilled personnel."
But how to defend against data breaches? Bitdefender says that network traffic analytics is the most efficient countermeasure in identifying suspicious activities and breaches, with 20 per cent of respondents naming it as their tool of choice.
Suspicious network behaviour based on firewall was the second tool of choice in 2017 and 2017 but dropped down to only being named by six per cent in 2019.
"This drop shows that firewalls became limited in protecting modern business," says Georgiou.
"They remain only perimeter security devices and they are limited to applying policies against visible packets that travel through them."
"Agile businesses have moved to the cloud because of its scalability, efficiency and reliability, amongst other benefits. As the cloud becomes increasingly common and the data deluge shows no signs of slowing down, the good old firewall is simply no longer enough for protecting the highly distributed assets of the enterprise."
Business News Australia
Author: David Simmons