Why cybersecurity is about culture as much as technology
Blog by Rhys Madoc CEO, UHY International
In the post pandemic world of work, robust cybersecurity defences are more crucial than ever.
That is not saying anything that most of us don’t know, but it is worth repeating. The pandemic has accelerated digital transformation, making us all much more reliant on online tools and services than we were just two years ago.
In our profession, we have seen a significant shift to using cloud-based bookkeeping software; and our clients expect to be able to contact us over Zoom, Teams or chat, as well as in person. We store more critical data in digital strongrooms, either in the cloud or on in-house servers.
Across the corporate world, reputations, revenue and even the futures of businesses rely on being able to keep that information safe. That is not an easy task. Cybercriminals are a determined foe.
Doing the simple things – every time
However, as determined as the criminals are, the reputation of cybercrime can sometimes exceed its reality. Cybercrime is rarely rocket science. The things you need to do to foil most attackers are actually quite simple – you just need to do them again, and again, and again.
That means not just investing in an enterprise grade firewall, but making sure it is always updated to the latest version. It means backing up data on a daily basis. It means buying and applying Virtual Private Network (VPN) licences for employees connecting to your network remotely and making sure they use them.
And perhaps most of all, it means making caution routine. Deleting an email that contains a link you don’t recognise once is not enough. You have to avoid clicking suspicious links every time you encounter them, from now until forever.
That is a tough ask, because it requires constant vigilance. Drop your guard on just one occasion and the hackers might be in.
The holistic approach to cybersecurity
That stark truth is confirmed by statistics. A recent report found that 85% of data breaches have a human aspect (source: Verizon, Data Breach Investigations Report 2022). The average cost of a data breach, meanwhile, is an eye watering USD 4.24 million according to IBM (source: IBM.com/security).
How do you avoid the calamity of a major cybersecurity incident? It takes a holistic approach, which certainly includes technology, and might require third party support.
Many UHY member firms around the world now offer cybersecurity as a professional service. Our US firm, for example, operates a rapid response unit, which has a formidable reputation for forensically investigating security breaches and containing threats before significant damage can be done.
Education is your first line of defence
But whatever else you do, your cybersecurity strategy absolutely must include employee education. In one telling study, 61% of employees failed a cybersecurity quiz, and 60% of those that failed said they felt safe from online threats. (source: talentlms.com cybersecurity survey).
In my opinion, that sort of misplaced confidence is as big a threat to your organisation as an unpatched server. Cybersecurity training should now be compulsory for all employees, as part of a process of continuing learning. Annual refresher courses should cover at least the basics, from recognising phishing attacks and securing mobile devices to connecting securely to your network from outside the office.
Or to put it another way, cybersecurity needs to become a habit. Your resilience to cyber attacks depends on the continuous vigilance of every member of your organisation.
So put the tools in place, from firewalls and antivirus software to intrusion detection and prevention systems. But remember that cyber resilience is as much about instilling a culture of caution as it is investing in the latest technology. As an organisation, you are only as strong as your weakest link.