Joe Baguley, Vice President & Chief Technology Officer EMEA, VMware
Businesses are using insights accrued from the growing number of customer touch points to personalise services and keep one step ahead of the competition. However, as data becomes more valuable, it becomes increasingly vulnerable. Organisations are deploying more applications on more devices in more markets than ever before, creating greater exposure to cyber attacks from skilled and opportunistic lone individuals and organised groups.
Print is forever
As evidenced in the media, high profile data breaches have been gathering momentum in both frequency and controversy, highlighting their long term impact on a business’ market position, profit and reputation. These attacks also emphasise the often grossly insufficient and inconsistent security strategies behind the scenes, leaving many organisations wide open to threat.
So what steps need to be taken to mitigate against these threats and fight back? And who do we hold accountable when a breach does occur? We wanted to explore these questions further so questioned 500 office workers and 250 IT decision makers in UK organisations to get their views, with some interesting findings.
The status quo
Our research revealed that almost a quarter (24%) of businesses expect to suffer a cyber attack in the next 90 days. When they take place, 29% of UK IT decision makers (ITDMs) believe the CEO should be held accountable. Despite this, additional research conducted by the Economist Intelligence Unit revealed that just 5% of UK corporate leaders consider cyber security a priority for their business.¹
So with cyber attacks posing a constant threat (and management often looking the other way), what other issues are prompting risk?
• Employee culture
55% of ITDMs cite careless employees as the greatest security challenge. Over a quarter (26%) of employees admit to using their personal device to access corporate data, and a further 16% would risk breaching policy to carry out their job more effectively. Is this indicative of a wider lack of basic ‘digital skills’?
• Skills gap
Nearly half of ITDMs (43%) agree that their IT team lack the necessary skills to protect against cyber attacks.
• Inability to respond fast enough
More than one in three ITDMs believe one of their greatest weaknesses to a cyber attack is threats moving faster than their defences.
• Inflexible infrastructure
While almost a third (32%) of ITDMs are investing in modernising their data centre technologies, the frequency of cyber attacks suggest that many are still relying on ageing infrastructure and outdated practices.
When a breach occurs, it’s easy to point the finger and decide on a strategy based on hindsight. So what steps should be taken to close the loopholes and protect against threat in the future?
• Taking it to the top
Cyber security is no longer a responsibility reserved just for the server rooms and IT teams, especially as the financial impact of these attacks become more momentous. Success starts with effective communication with the board, and following a breach, senior management must collaborate with other departments to identify issues and establish the company line to reinstate confidence to customers and investors. Security should be a top line issue.
• Reinforce words with actions
Keeping the conversation flowing is one key element, the other is getting IT on track to defend against threat. With applications and data on more devices in more locations, organisations need a flexible software-defined architecture for security, built into the fabric of the technology infrastructure from the data centre to the device. Virtualization offers a platform for this new architecture, allowing organisations to fortify security dynamically and responsively from the inside out – inside the application, inside the network, and at the user and content level.
• Protect whilst enabling employee mobility
Complicated passwords or procedures can cause frustration for users, tempting many to take short cuts which engender risk. Simplifying processes whilst keeping users and data safe is critical. The more you can build security into a system as opposed to relying on humans, the better the chances of staying secure.
• Start with the users
Some basic education of your user base with regards to cybersecurity and data/device hygiene can significantly help. Social engineering is an increasing attack vector, so making people aware of such methods can only improve security.
Businesses need to invest not just in new services, but the security to keep these services safe and ultimately protect the longevity of their brand name. The formula to success is through much more collaboration between IT and senior management, and the implementation of the right tools to better protect against the volume and might of cyber crime in our ecosystem.
Lastly, businesses should take a software-defined approach to IT, to ensure responsive and adaptable security is built into every element – and it will be these businesses who will gain the flexibility required to both secure and succeed as a digital business in the long term.
¹The Economist Intelligence Unit (EIU), research conducted between January and February 2016