Many business leaders equate being compliant with being secure. While closely intertwined, these are actually two different things. Regulations such as the European Union’s General Data Protection Regulation (GDPR) address specific security risks that are typically based on previous attacks.
But adversaries are changing their tactics constantly. If you close one door by being compliant with one regulation, attackers will seek another door. And, often, they will find one.
So, how does your organization move beyond compliance to reduce the risk of being attacked and mitigate the impact if a cyber crisis takes place?
Businesses can move successfully beyond compliance by striving to understand the human element in cybersecurity, according to Ria Thomas, Partner and Global Co-Lead for Cybersecurity at Brunswick Group, an advisory firm specializing in critical issues and corporate relations.
“It is critical to undertake the necessary technical investments,” Thomas says, “not only to protect your company, but also to be able to demonstrate that you understood the technical risks and sought to mitigate them.”
But in today’s fast-moving environment, investing in technology is not enough. “It is important to acknowledge that cyber risks are caused by humans and cyber prevention is managed by humans,” she says. “How you work to prevent a cyberattack and how you respond to one starts with understanding who is involved.”
Addressing The Human Element
Writing in the newly released book, Navigating the Digital Age, Second Edition, Thomas discusses three categories of players when it comes to cybersecurity:
1. The people attacking the business. No matter what motivation, methodology or attack mechanism is behind the attack, it is always important to remember: It is human actors that are doing it and, being human, they are often unpredictable.
2. The people responding within the business. Being prepared means knowing that the entire organization needs to come together—not only to create an integrated picture of the business impacts, but also to coordinate a response to minimize the potential fallout. All employees must understand what is expected of them during a cyber crisis.
3. The people impacted by a cyberattack. If an attack impacts infrastructure, you may not be able to provide services. If you are in a critical industry, such as healthcare, the results can be devastating to individuals who rely on your services. Company leadership should not be making decisions based solely on the bottom line. Rather, you must demonstrate that you are minimizing and mitigating the impacts on the people directly affected by the cyberattack.
Setting the Right Cybersecurity Tone
As a business leader, there are positive steps you can take to ensure that your organization is paying proper attention to the human element in cybersecurity, thereby reducing risk.
It starts with you, Thomas says, setting the tone and creating a corporate-wide cyber-resilient culture that encourages active engagement, participation and buy-in from all the people throughout your organization.
“The first step for company leaders, whether in the boardroom or the executive suite, is to take the time to understand the threat environment for your organization, including the potential risk and the potential business impact,” Thomas says.
Understanding risk demands that you consider the impact of your strategic business decisions on your cyber threat profile. For instance, if you enter into a new partnership or create new intellectual property, who are the human beings that may now be interested in attacking your business? What would they be seeking, and what damage might they cause?
Engagement and Preparation
The next step is to engage with all of the key members of the organization who will need to create an integrated understanding of the impacts and come together to help coordinate a corporate-wide response. Focus on these questions:
- Are they aware of leadership’s expectations of them during a cyber crisis?
- Do they know their roles and responsibilities?
- Will the existing crisis structure, whether formal or informal, be able to handle a multi-faceted attack?
As part of pre-cyber crisis preparation, company leadership should also invest in raising awareness of employees, Thomas says, not only focusing on cyber risks “but also on the behavior that may be expected of them to protect the organization from cyber threats.”
Finally, corporate management must take steps to ensure that employees throughout the business understand that the top priority is to the human beings who are most impacted by the attack. “These are not only your customers, and employees, but also the general public,” Thomas notes.
She poses several critical questions for business leaders:
“What are the principles by which you appear to be leading your company through a cyber crisis? Is it to protect our business operations and valuation? Or do you convey through your actions and words that you have understood the weight of the trust that has been placed on your business by the human beings on the other side?
“How the public reacts has little to do with compliance and everything to do with perception: Did you do everything you were supposed to do? Put more succinctly: Did you do the right thing, even if you were not required by law to do so?”
Taking the Next Step
The key to successfully addressing the human element in cybersecurity is being prepared.
“You need to ensure that you have the right strategies and policies in place to reflect that you have planned for and thought about these things before the incident took place,” Thomas says. “This preparedness approach is where the right culture can leverage institutional muscle memory.
“You may not be able to think everything through in advance, but if your core group understands their roles and responsibilities, you are in a much better position to do the right thing and shape public perception in a positive way.”
Compliance with regulations alone does not ensure cyber resilience. Your organization’s ability to overcome a cyber crisis starts with a full understanding of GRC: your cyber risks, the potential impacts and the measures you need to put in place in order to maintain your ability to steer through the crisis.
And, of course, understanding the human element in cybersecurity. As Thomas notes, your efforts cannot be successful without taking into account the human beings that form the core of the threat, the response and the impact.
Al Perlman, co-founder of New Reality Media, is an award-winning technology journalist. For the past dozen years he has focused on the intersection between business and technology, with an emphasis on digital transformation, cloud computing, cybersecurity and IT infrastructure.