In response to the pandemic, organisations worldwide have accelerated the digitisation of their processes to provide more transparency, structure, and reliability in the delivery of services across the enterprise. However, with the increasing number and sophistication of cyberattacks, this now means that digital security is a growing priority for business leaders.
The stats are sobering. By May 2020, IBM recorded a 6,000% increase in online threats as cybercriminals sought to target employees and gain access to critical business data; meanwhile, official government figures show that almost half of businesses in the UK have experienced an online attack in 2021.
New research from ServiceNow and ESI ThoughtLab reveals that 30% of businesses surveyed had experienced major disruptions to cybersecurity over the past 12 to 18 months, and 44% saw cybersecurity as a key area for improvement in the next year or two.
Much of the disruption is due to the growth in home working and hybrid working, as unsecured connections and a lack of IT oversight mean employees may put the business at risk without knowing it.
The lesson? Every business could be targeted by cybercriminals. The question isn’t if, but rather when—and how will you respond?
A growing threat needs a comprehensive response
The problem is, in the face of such a significant threat, many organisations take a piecemeal approach to protection. By focusing too heavily on tech solutions, other gaps which hackers, online criminals, and data thieves could exploit are often missed.
To stay safe, businesses need to take steps to build their digital resilience from the ground up: addressing security threats strategically, and creating a culture around and commitment to data security that runs through their organisation.
True resilience here means that every individual in an organisation has the skills, support, tools, and technologies to deal with online threats if and when they occur.
So what can businesses do to reach that level of resilience?
1. Empower employees to safeguard security
Humans are the weakest link in your digital security and, for that very reason, require the strongest support.
Hackers use sophisticated methods to target human vulnerability. Whether it be through a pixel-perfect phishing email or an innocent-sounding attachment from a person they trust, they know exactly what buttons to push to get your employees to fall victim.
At the same time, all humans make mistakes, and businesses won’t ever improve their responses by punishing staff for a simple error. It’s far better to empower employees by being proactive about education and protection.
Rather than naming and shaming those who have fallen prey to an online attack, use it as a learning opportunity to improve security and your business, and even show employees how to think like hackers.
The aim is to develop an internal culture where staff are aware of online threats, understand the security protection process, and feel confident at managing them. This goes beyond technology, incorporating policies and people too.
2. Make security a management priority
One small business is hacked every 19 seconds, says Hiscox insurance company. Many of these hacks are caused by phishing attacks.
Most of us may feel confident in our ability to spot a fake email. Yet in 2019, PWC found that 7% of recipients at midsize to large financial institutions clicked a link in a malicious message. Hackers are becoming more sophisticated in their attacks, making them more challenging to identify.
Leaders can react by ramping up security protections across the board, but these constraints can affect flexibility, and ultimately damage the user experience.
Making security a strategic priority ensures that every staff member is aware of the importance of maintaining protection, whatever they’re doing and wherever they are.
Supported by strong, clear, and consistent policies, leaders can provide a solid basis for organisational resilience to develop. It’s about ensuring everyone has the tools and techniques—as well as the right technology—to work.
Ultimately, managers can’t manage 24 hours a day. You need to ensure staff have the skills and support to prioritise protection, and the mechanisms to report security breaches rapidly without fear of recrimination.
3. Target threats, not tech
It’s easy to see technology as a cure-all for security issues. But it can never replace the real work of digging deep and identifying the real cause of business risks.
A great place to start is to explore previous attacks. Were they caused by poor password management, network vulnerabilities, or eavesdropping issues?
The lesson? Don’t focus on the tech, but the threat.
At the end of the day, employees in customer service, communications, and cost management will use different software, solutions, and technology. They also face different risks and threats.
Even in small organisations, a single security policy won’t be comprehensive enough to contain everything. Training should support staff to be able to spot the threats they’re most likely to encounter in their line of work, and crucially, they must know what to do when they spot them.
Clear communication is critical to reducing business risk. Developing a culture where security threats are shared and discussed openly is essential. If your staff make mistakes—and they will—they must have the confidence to raise an alert immediately. Even a few minutes delay can put your data at risk.
Resilience is about reducing risk, but it can’t eliminate it. By focusing on the causes of security breaches, you’ll have greater success than spending big.
Digital security is a daily battle
Every new piece of technology or network connection creates a potential opportunity for a hacker—and a threat to your business. Truth be told, technology progresses so quickly that no static policy or process can hope to keep up.
Instead, companies must embrace an agile approach to security: a process of continual improvement that allows threats to be identified and solutions implemented quickly.
It sounds complicated, but it doesn’t need to be. Focus on recognising the threats your business faces, then create a plan and processes to protect you. Make identifying, reporting, and responding to threats a strategic priority. And, last but not least, empower staff to safeguard security.
If you can start with a funded programme for digital security, you’re well on the path to a truly resilient business.