There has been extensive discussion on the topic of cyber security threats, highlighting the need for organisations to be mindful of the impact on their reputation and bottom line should a cyber breach occur. With the proliferation of the connected workforce and the spread of mobile devices into every aspect of our lives, the risk of security breaches and data theft has increased significantly too.

Despite substantial media coverage on the issue, corporates are generally not doing enough to protect themselves as well as their employees from the risks in cyber space. Organisations need to examine how they can better equip their workforce to deal with data breaches and understand that every employee poses a potential risk to the organisation in terms of IT security. In so doing, it will become evident that it is critical for the CIO and CEO to be on the same page with regards to cyber security, as technology alone cannot protect against a myriad of possible cyber-attacks. In short, cyber security is a shared responsibility that needs to be tackled from all angles.

Cyber security is a growing global issue

The Information Systems Audit and Control Association (ISACA) Global Cybersecurity Status Report 2015 surveyed around 3 400 ISACA members in 129 countries worldwide and reported that 83% of respondents considered cyberattacks to be among the top three threats facing organisations across the globe today.

Closer to home, Grant Thornton's International Business Report (IBR) on cyber security revealed that one out of every 10 South African private sector businesses have experienced a cyber-attack in the past year, as compared to a global average of 15%.

As these prominent security breaches and hacks become more commonplace, businesses are putting themselves at risk if they lack a thorough strategy to prevent, detect and control cybercrime. It's clear from the IBR that cyber-attacks have a direct effect on the bottom line but despite the undeniable risks, almost 45% of respondent executives in South Africa revealed that they had no security strategy in place to address potential cyber threats.

Addressing the issue of cyber security within the organisation

When it comes to security control, there are essentially three aspects that need to be addressed. First, defining what needs to be controlled, then monitoring for adoption and compliance, and thereafter implementing a consequence for non-compliance with control methodologies. All too often, one of the three aspects is overlooked or underplayed, which reduces the effectiveness of cyber security measures in the business. Addressing cyber security effectively requires acknowledgment of the fact that it's about more than just technology; it's about managing people and risk.

From an IT perspective, it is the CIO's responsibility to protect the business infrastructure and data from falling into the wrong hands; this includes business data, customer data and employee data. The biggest challenge for organisations lies in managing mobile workers and mobile devices, especially when it comes to providing the controls to protect the company itself without affecting employee productivity.

While organisations cannot control personally owned devices, they can offer a number of technology options to enable workers to do their jobs, which might involve checking mail, browsing the Internet or logging onto company applications. Control can be applied at a gateway level, only allowing people to connect if they have anti-virus software, or if they're able to authenticate their identity. This is also where other technologies like email, phishing, ransomware and the like, come into play.

Cyber security is a shared business responsibility

Beyond this point cyber security becomes the realm of the CEO (as specified in the Protection of Personal Information Act) and it is a responsibility that is shared with the employee. Even though it is an IT task to enable employees to do their job it is also incumbent on the employee to realise that there are risks attached to their actions, for which they must be accountable.

This is where the CEO must shoulder responsibility for the enforcement of risk and compliance type controls, because, unless the business oversees the implementation of these controls, IT will merely be providing the technology without the authority to ensure that employees are heeding these controls.

As the CEO holds authority over the main resources of the organisation – the employees – this individual is responsible for ensuring that the workforce adopts and abides by the selected security measures and policies, through the appropriate channels of employee awareness and education.

To be effective it's critical that all aspects of the business align on the issue of cyber security – from the CEO to the CIO and through to employees, particularly with POPI coming into effect imminently.

Technology alone is not sufficient to keep businesses safe, and all stakeholders in the business need to be involved in addressing cyber security concerns, both in the boardroom and inside the IT department. It will require management teams to push cyber security strategies to increase staff awareness, and for the business to have policies and procedures in place to deal with cyber threats as they arise, from all angles.

* By Simeon Tassev, Director Galix Networking