The 2019 State of Cybersecurity in Small and Medium Size Businesses study by the Ponemon Institute revealed that most companies surveyed suffered severe financial consequences thanks to a cyber-attack. A study undertaken by Bromium and researcher Dr. Michael McGuire found that global cybercrime revenues were reaching a staggering $US1.5 trillion every year. These insane profits were generated from illicit online markets, the theft of trade secrets and intellectual property, data trading, crimeware-as-a-Service, and ransomware. For the cybercriminal with a talent for code and a penchant for problem-solving, this is a lucrative career choice that many are opting into.
So, what does this have to do with video games? One very simple thing. You can never stop learning how to fight because the bad guys just keep getting stronger, better and more complex. You can never sit back and think that you’ve got all your bases covered because they will find a way in. And, they want to find a way in because you’re very, very valuable to them.
“As IT, the Fourth Industrial Revolution (4IR) and emergent technologies continue to evolve, people aren’t paying as much attention to security as they should,” says Karien Bornheim, CEO of FABS. “The business focus is on implementing new technologies as quickly as possible and eeking out all of their possibilities rather than on the security concerns they represent.”
The risk that’s inherent in this constant and enthusiastic investment into 4IR is that the spotlight isn’t shining onto security. The standards aren’t yet fully defined and not many organisations, or individuals, are clear on how to pull the threads of investment and security together from an enterprise perspective.
“The bottom-line imperative to just get it done now has often shoved security under the carpet,” says Bornheim. “However, this is starting to change as the impact of leaving security as an afterthought is rippling across failed businesses, collapsed reputations and shaky bottom lines. People are starting to pay closer attention to how security should be embedded into the business from the outset, and the conversations are finally taking place at board level.”
One of the most common obstacles to the evolution of security in the organisation is, of course, the disconnect between IT and the executive. The age-old problem of IT talking to the business and the business talking to IT, but nobody speaking in the same language. Business does understand that security is an issue, but it doesn’t really understand how to combat it and thinks that responsibility for this vague problem lies squarely on the shoulders of IT. This is most definitely not the case.
“Security is everybody’s issue,” adds Bornheim. “From the person on the ground to the head of IT to the C-suite, including the 3rd party supplier and the customer, security should be something embedded into every aspect of the business culture. It is critical that everyone understands the never-ending quest to stay on top of security. This industry is growing, hackers are always thinking of ways to get into the business and there are always more of them than there are of us. We have to build bridges between departments, silos, and personnel to ensure everyone is trying to protect the enterprise and its environment. This can be achieved through ongoing conversations and increased collaboration to ensure that systems and individuals are always up to date.”
Practical training, executive and user awareness, hands-on courses, application and solution understanding – all these factors play a role in supporting both IT and the business in maintaining the right levels of security. Most companies are not investing enough in security training. People have the tools, but few really understand their value or the impact of a careless mistake.
“Training should become a standard part of business protocol and planning,” says Bornheim. “This extends from the normal day-to-day security knowledge and understanding through to security insights, a specialised focus and ongoing professional development. Everyone should have access to the tools they need to do their jobs securely, especially those with high clearance or in control of enterprise security.”
The security team should be given continuous learning and provided with training that goes beyond theoretical exercises. It’s worth the time and investment in sending the relevant individuals to white hacker courses that allow them to see through the eyes of the cybercriminal, to understand their motivations, and to gain insights into their methodologies. This hands-on training provides the enterprise security team with the skilled insights required to select the right applications and investments into the right levels of security.
“As the company CEO, the most important consideration is to ensure the continuous learning of the security team,” concludes Bornheim. “The risk of not doing so means that your people aren’t aware of the threats, are not able to make the level of informed decision that they should, and aren’t as embedded into the constantly changing landscape as they need to be to ensure the ongoing evolution of your security. Training, awareness and attention – these three pillars can fundamentally change an organisation’s security profile and its resilience in the face of an unwanted attack.”