Organizations should be cyber-resilient, take an honest and accuracy view on their current situation and focus on staff training, IT security specialist André Meyer explains.

In many companies, lack of time, money or leadership is an impediment to cybersecurity, tells André Meyer, Lead Cybersecurity at Accenture Luxembourg.

André Meyer, how would you define cyber-resiliency?
It is a mix of processes and measures. It first includes an appropriate technology that prevents your organization from being at risk. For example, if your company is running an old system, it can become a target very easily and quickly. Your organization shall remain uninteresting for hackers.

Secondly, if your company is a big name and has very valuable assets, then it shall implement appropriate measures to secure its systems and assets.

The human factor is the third important part of the resiliency. You can have all the best technology in the world, but if within your organization, someone makes a mistake and cannot handle it, or speaks freely and mentions information they should not tell, it can easily lead to a security issue.

In other words, cyber-resiliency means thinking about what you want to do in order to protect your company, its assets and people. It is also about implementing the right technology as well as defining and applying the right mindset to manage that technology.

How do you think employee behavior shall drive this resiliency?
First you need to make people aware that they can be part of the security risk, and more particularly that they are part of the problem as well as of the solution.

They may handle confidential and very valuable information to the wrong people. They should also know that they can become a specific target for cybercriminals.

Cyber-resiliency means thinking about what you want to do in order to protect your company, its assets and people.

Therefore, you need to inform your staff about those threats and risks. But you also need to tell them how to identify the situation, to react and to escalate when being targeted.

Moreover, you need to custom your training accordingly to the functions and the roles of your staff.

These include consistent and very evolving awareness trainings, the integration of your staff from the very beginning into the security processes as well as the presentation of showcases detailing where they can be targeted within the attack chain.

If you know what you represent for your attackers, it is quite easy to identify when and how they will target you.

In that context, what strong message do you tell your staff?
You are facing an ongoing threat, and a malicious party has put you on their map: therefore being passive is not sufficient! Deleting for instance a suspicious mail is not enough. You should inform your security team and help them understand how you have been targeted.

It is the people’s approach towards security risks and threats that drives a company’s cyber-resiliency.

How should HR departments be involved in a companys cyber-resiliency plan?
Cybersecurity only works if it is integrated within the whole company and done across the departments. If you put the entire focus and responsibility on the IT side only, you are missing the point.

HR departments are in charge of the whole human capital of the organization. There are one of the most crucial actors in the company.

Companies should be aware of the risks a lack of leadership can bring to their cybersecurity.

As they recruit people, they are the gatekeepers that make the inside of the company safe. Hence, they should pay very much attention to identify employees whose behavior might be a threat.

Lots of cyberattacks are still made by human beings. And those are easier to operate from the inside than from the outside of the company.

How do you train your staff on these issues? What training programs do you suggest?
A good resiliency program should include online basic training that make people aware of what information exist on the topic, that should give them a broad overview of the subject, and prepare them on what kind of attack they may face.

It should also include more specialized and dedicated training, based on concrete examples of risks and threats, that your staff might be confronted with when operating their day-to-day tasks.

How often should those trainings take place?
A yearly session is a good approach for basic training. Because some cyberattacks remain unchanged over the years. It is also about refreshing people’s mind.

The aim is to make them aware of recent and potential cases and threats that might appear under new circumstances. For instance, the current home-working situation due to the pandemic can lead to new cybersecurity risks.

Whatever the technology you buy, you will always have people working on it and with it. And if these people are not sufficiently aware or trained, they can be the problem. The best technology in the world cannot prevent human errors.

This points down to your employees. For these reasons, you should invest in your workforce as well. And this investment should not be neglected.

Hence, they should consider cybersecurity more as an investment than an obligation.

What are the main impediments you see against cyber-resiliency?
Lack of money and lack of time are the most common reasons. But when it goes to implementing and conducting a cybersecurity policy, lack of time is not an excuse! You need time to make it more proper.

Moreover, everyone in the organization wants to help saving time and making money. In that context, cybersecurity is not considered as a direct revenue generator. It is usually seen as a necessity rather than an essential piece of your business.

Lack of leadership is also an important factor: companies should be aware of the risks a lack of leadership can bring to their cybersecurity. Leadership should impulse cyber-resiliency and awareness.

Therefore, companies should take an honest and accuracy view on their current situation. Based on that situation, they can easily identify the main governance, process, technology and human issues they should address.

Most of the organizations that faced a cyberattack or a breach were usually too optimistic on their protection processes and measures, or they took the wrong cybersecurity decisions.

Hence, they should consider cybersecurity more as an investment than an obligation.

And I would like to insist. It is not an insurance policy, You need an insurance, when something goes wrong. Whereas an investment is something you can quantify, through a return on investment.

Clicking on a malicious link might generate a breach that will cost in average 680,000 euro to the company. By comparison, a training on cyber risks and issues might cost 80,000 euro only.