Cybersecurity changes must be driven by senior management. Source: Shutterstock

Effective cybersecurity needs more than an investment of money

RECENT events have demonstrated to businesses the extent of damages that can be expected in the aftermath of a cyberattack.

However, businesses are slow to make the change – not because they lack the desire, motivation, or resources to do so, but because they face cultural challenges.

But the time has come to deliver change, and leaders have to be aggressive. It’s time for them to literally be the change they want to see in the organization’s culture.

According to Kaspersky Labs, the average cost of a data breach in North America summed up to US$1.3 million for enterprises and US$117,000 for small and medium-sized businesses (SMBs).

In fact, cyberattacks are not just a costly affair for businesses but also for the economy as a whole.

A recent report issued by the Council of Economic Advisers’ estimated that the total loss to the US economy as a result of cyberattacks was anywhere between US$57 billion and US$109 billion.

In an exclusive interview with Tech Wire Asia, Thales’ Asia Managing Director of Critical Information Systems and Cybersecurity (CIC), Asia Henry Ng talked about the role of culture in the implementation of cybersecurity measures.

“Change is hard, and people find it hard to change – but if organizations want their cybersecurity programs to succeed, they must drive a change in their culture and be more aware of their choices in the context of their cybersecurity policies,” said Ng.

How cybersecurity became a culture-challenge

The fact is, cybersecurity isn’t an enterprise-wide initiative, culturally-speaking. Historically, it was a ‘solution’ that the IT team reviewed, purchased, and implemented – in isolation.

Nobody else was involved in the process back then, and their involvement wasn’t needed. But modern cybersecurity problems cannot be solved without the support of the whole organization. And for this, a cultural change is needed.

“Everyone needs to actively and consciously think about what they do on their devices. What emails they open, how they access emails, what attachments they open, who they give data to, everything,” pointed out Ng.

In all honestly, employees are today’s biggest cybersecurity risk – it’s something a recent study has found. Hence, any investments in cybersecurity will be futile if all employees don’t wholeheartedly support it.

“The study’s findings clearly show that seemingly small habits can pose great security risks,” Shred-it Vice President Monu Kalsi told CNBC.

The solution to the problem

A lot of businesses know that their culture is a problem, however, there are only a few know what to do to fix it.

According to Ng, the best way forward is to develop a governance model that very specifically describes who is responsible for what part of an organization’s cybersecurity, and offers very clear guidelines.

Typically, people fail when there is a lack of clarity. Even with the guidance and support of a strong leader, businesses will fail to drive a change in their culture if they don’t have a strong governance model in place that lays out responsibilities clearly.

“In Asia, where organizations are hierarchical, implementing a clear governance model is one of the quickest ways to succeed with cybersecurity,” said Ng, who emphasizes that clear metrics for performance and success must be set out at the start.

This governance model, when evangelized by top management, is usually what breaks down the cultural barrier.

As Deloitte Touche Tohmatsu Limited’s Global Chief Information Security Officer JR Reagan told the Wall Street Times recently, “Changing workplace culture can be daunting. But as the history of workplace safety shows, it’s possible to achieve with commitment from the top. And the trickle-down effect, resulting in buy-in at every level, is likely to help organizations lower their risk considerably”