Never stop learning - the need for a risk-based approach to cyber-securityBy Security Magazine on 1 December 2016


It probably comes as no surprise to IT security professionals that cyber-attacks are now becoming more sophisticated and more commonplace. For years, cyber-experts have been warning that we are entering the “age of the cyber-attack,” predicting that a digital attack will now bring about the end of civilisation rather than a nuclear war. While this is clearly an extreme example, what is surprising is how ubiquitous and effective cyber-attacks have become, despite vendors and experts warning about their risks for over a decade. However, even if an organisation has a robust cyber-security policy in place, this alone is not enough to protect it from cyber-attacks. Trust us, we know because we’ve been there.

The data breach that we suffered worried us and our customers. This was particularly frustrating as it happened despite employing industry-leading security policies and protocols. The lesson that we learned was that, not only can you never be 100 percent secure, but if you ask yourself the question: “are we safe?” you are already going down the wrong path.

As IT security experts know, the key is making sure that when a cyber-attack does happen that the most important parts of a business’ network are protected, and most importantly, that it can recover to continue business as usual.

In recent years, we have been seeing increasing high-profile attacks, but few of us truly understand why. Recent research from Vanson Bourne posed questions to owners and C-Level executives of enterprises and SMEs, seeking to shed some light on this. It asked business leaders about the level of risks they perceive within their own organisations and the types of attacks that they had experienced in recent years. The most surprising finding was that 86 percent of respondents felt that they were doing enough to mitigate the threat of cyber-attacks. This contradicts the fact that half of all organisations surveyed had already been the victim of a cyber-attack. This is integral to understanding why attacks are so successful and why responsibility is often misplaced so easily.

When looking at who is perceived to be in charge of cyber-security, it seems that the IT department is still tasked with protecting the data and systems of the business. Thirty three percent of those surveyed considered it the sole responsibility of the IT department to mitigate the risk of threats related to cyber-attacks. Fifty-two percent of executives also admitted that they don’t have any secure practice guidelines in place to minimise the risk of a cyber-attack.

While we think the C-suite should lead from the front when it comes to cyber-security, ultimately the responsibility for it needs to be shared across the whole of the organisation to give it the best level of protection across the board. This will also help the IT department to concentrate on other responsibilities and introduce greater accountability across the organisation, which in turn will also help management and members of the board. There is nothing more frustrating for a CIO than signing off hundreds of thousands of pounds on cyber-security technology with the CFO to later find that staff have never used it.

Best practice training also needs to be implemented so that staff is aware of the risks involved with being a digital business. Unsafe working practices also need to be monitored on an ongoing basis to eliminate the risk of human error contributing to an attack and to help inform any further training needs so staff conduct themselves appropriately. For example, not using personal e-mail accounts for sharing business data and not downloading attachments from unknown sources that could contain malware. Secure practices need to go hand in hand with robust technology to limit the opportunity for hackers and digital threats. Otherwise, businesses will only ever be able to offer an Elastoplast solution, or else have to introduce draconian measures, which potentially diminish worker productivity, leading to workers and suppliers eventually finding ways to evade. Businesses can fortify weaknesses in the network, but even the most security aware organisations can’t do anything to change human behaviour.

A robust cyber-security policy requires the buy-in of all members of the organisation and it’s not enough for the IT department alone to be held responsible. For this to happen, employees need strategic direction from the top of the business to ensure all team members understand why policies are in place and that everyone does their part. Only then can businesses create a risk-based approach that minimises the threat to themselves and their customers.


Olson-Chapman, Kristine (2016). Never stop learning – the need for a risk-based approach to cyber-security. Security Magazine. Recovered on 2 December, 2016, from–the-need-for-a-risk-based-approach-to-cyber-security/article/574440/

Related Training & Certification