Our thinking: Digital security: fasten your seatbelts!

Managing digital security is key for successfully running a business. We all know examples of cyber-attacks that significantly harmed business operations, with broader negative impact on reputation, trust and business continuity. In the latest CEO Study of the IBM Institute for Business Value (IBV) managing digital security was even one of the 5 distinctive focal points of CEOs of top-performing companies. In this article we discuss the relevancy of digital security with Talitha Papelard, Director Security Office as a Service at Northwave and author of the book ‘Critical success factors for effective business information security’.

Why is digital security becoming more important, and what are the most common threats?
In our current economy it’s hard to mention a business process that’s not supported by technology. The adoption of technology (e.g. software, Internet of Things) has led to a significant increase of productivity in all industries in the last decades, but technology-dependency made us vulnerable as well. We should all not think about cyber criminals shutting down the systems of a hospital or an energy company. Yet these are real threats.

Next to that, cyber criminals are getting smarter. They don’t only use more advanced technology to hack systems, but they are also increasingly deploying social engineering and personalization techniques. The most common threats we see are:

• Ransomware: Malicious software (malware) encrypts or steals your (business) data/systems and extort a ransom to unlock your data.
• Phishing and business email compromise: social engineering techniques (e.g. CEO email messaging) in order to gain relevant data and/or trap you into a wrong payment.
• Malicious insider: an internal employee or contractor who steals data, sells data to third parties or aims to harm your business in other ways.
• Data leakage/breach: Besides forms of digital crime, data leakage can also be the result of an unconscious fault (e.g. left a tablet with business data in the train) but also with high impact.

How can you protect your company against these threats?
For our research at the Antwerp Management School, resulting in our book, we held many interviews with leadership teams. The most important lesson: as a company you need to be in control and able to show resilience.

You cannot block every attack, so it’s important to understand your organization, operational processes and the application landscape very well, so that risks are understood and so that you are able to response swiftly in the case of an emergency.

Therefore, it’s important that digital security is not only on the plate of the CIO, CTO or IT team. Digital security management depends on the ‘tone at the top’. An aware, active and alert mindset is required at all levels in the organization. More and more we see that CEOs or CFOs are responsible for digital security policies. Strong leadership, and leading by example are crucial.

Other critical success factors:

• Define a process for continuous improvement, this is commonly known as an ISMS or Information Security Management System e.g. with monthly business reviews about this topic and evaluations.
• Integrated, holistic approach: don’t only look at technology (e.g. end-point protection) but also at behavior and organizational processes.
• Put awareness training in context. At Northwave we have a team of organizational psychologists constantly optimizing the effectiveness of security awareness training programs. For the learning experience it’s important to contextualize, e.g. with the help of simulation.

Are software companies at risk as well? Any tips for them?
Cyber attacks can happen to all organizations: governmental bodies, educational institutes, large corporations but also smaller software companies.

Wat makes this topic so important for software companies, is that their products are often used in critical work processes of end-users. For example case management solutions for municipalities, a communication app for daycares, and software for supply chain management. Security incidents can be enormous impactful and might even risk the business continuity of the software company.

My tip for software companies: take into account ‘security by design’ and ‘privacy by design’ from ‘Day One’ of software development. It’s good to understand how your solution will be used by end-users and how they look at digital security and privacy. For example, for a daycare communication app, used by care providers and parents, this is one of the critical aspects of the solution. If you don’t get this right, you will be passed by competitors.

Main Capital & Northwave collaboration: Digital Security Checklist
Since Main recognizes the importance of digital security, and because we want to continuously support our portfolio companies in their business, with all type of practical tools, Main and Northwave bundled their forces and created a specific tool for Main portfolio companies: the Digital Security Checklist. For more information, please contact Bram Kaashoek.