Recent headlines confirm that cyberattacks are growing in scale and incidents are on the rise.
Organizations are increasingly vulnerable as a result of technological advances and a changing workplace, including remote access, big data, cloud computing, social media and mobile technology.
The amount and importance of data continues to grow, as does the sharing of information via online networks. Organizations increasingly open their IT systems and lose direct control of data security.
Today, cybersecurity is no longer just an IT issue — it is a challenge for the leadership of any organization.
Rather than focusing on technology alone to address these issues, it’s critical that management, boards and shareholders understand the most common cybersecurity mistakes so they can adopt a flexible, proactive and strategic approach to building an informed organization.
KPMG LLP recently surveyed 100 primarily C-level and senior executives in the technology industry for our “2014 Technology Business Outlook.” Technology executives continue to believe that security is the biggest challenge to businesses adopting Cloud, mobile or social media technologies and almost two-thirds expect their company to spend 1 percent to 5 percent of their revenue on information security over the next 12 months.
In light of the recent data breach at Target Corp. and the fact that data security is one of the top concerns of many of our clients, we’ve compiled five common cybersecurity mistakes that company leaders should work to avoid.
Mistake: “We must achieve 100 percent security.”
Reality: 100 percent security is neither feasible nor the appropriate goal.
Whether it remains private or is made public, almost every large, well-known organization will experience information theft. Once you understand that perfect security is an illusion and that cybersecurity is “business as usual,” you also understand that more emphasis must be placed on protecting your most important information assets, in addition to improving detection and response capabilities to identify and address issues as they arise.
Mistake: “When we invest in best-of-class technical tools, we are safe.”
Reality: Effective cybersecurity is less dependent on technology than you think.
The world of cybersecurity is dominated by specialist suppliers, such as those that sell products enabling the rapid detection of intruders. These tools are essential for basic security, and must be integrated into the technology architecture, but they are not the basis of a holistic and robust cybersecurity policy and strategy. The investment in technical tools should be the output, not the driver, of cybersecurity strategy.
Mistake: “Our weapons have to be better than those of the hackers.”
Reality: Security policies should primarily be determined by your goals, not those of your attackers.
The fight against cybercrime is an unwinnable race if it’s defined solely as an arms race with attackers, who are constantly developing new methods and technology, forcing companies to keep investing in increasingly sophisticated tools to prevent attacks.
Managers need to understand what types of attackers their business attracts and why and assess their own risk profile and prioritize policies, procedures and controls based on that risk profile.
Mistake: “Cybersecurity compliance is all about effective monitoring.”
Reality: The ability to learn is just as important as the ability to monitor.
Cybersecurity is very much driven by compliance with certain laws and policies. Even so, only an organization that is capable of understanding external developments and incident trends, and uses these insights to inform policy and strategy, will succeed in combating cybercrime in the long term.
Effective cybersecurity policy and strategy should be based on continuous learning and improvement to beef up the company’s program and protect their highest value assets, not simply reacting to a regulatory compliance issues that might address only part of their environment.
Mistake: “We need to recruit the best professionals to defend ourselves from cybercrime.”
Reality: Cybersecurity is not a department, but an attitude.
Cybersecurity is often seen as the responsibility of a department of specialist professionals, which may result in a false sense of security and may give the broader organization the mistaken idea that it’s not their problem.
The real challenge is to make cybersecurity a concern of the entire organization. For example, this means that cybersecurity should become part of HR policy. It also means that cybersecurity should be built into the requirements for key business and information technology initiatives vs. retrofitting security into business processes, IT systems or third-party controls only at the end of such projects.
Developing a strategic, customized and comprehensive cybersecurity program — driven from the top — will help companies avoid these common security mistakes and build an informed and knowledgeable organizational culture.
David Notch is a director in KPMG LLP’s Information Protection and Business Resilience practice in Minneapolis. He has more than 20 years of experience in the technology and security industries. He can be reached at firstname.lastname@example.org. Tony Buffomante is a principal in KPMG’s Information Protection and Business Resilience practice. He is also the firm’s U.S. leader for cybersecurity. During the past 20 years he has managed and executed information technology security strategies, assessments and implementations for some of the largest global organizations. He can be reached at email@example.com. A version of this column originally appeared in Finance and Commerce (Minneapolis, Minnesota), sister publication to The Daily Record.