Rapid technological innovation is impacting the risk exposure of Belgian organizations. Creating security awareness is key, as well as getting the whole organization involved in cyber resilience. And how does legislation help? Experts from Agoria, LSEC and IBM shared their insights during the IBM Security Summit Belgium 2019.
Depending on the size and sector, many companies in Belgium face serious security challenges. “Start-ups and major companies in the services industry are leading the way in cyber resilience. It’s mainly the many family businesses in our country that fall behind, but also industries like manufacturing. And there are large corporations in other sectors too with a lacking security budget and focus, struggling with legacy systems,” says Yves Schellekens. He is Business Group Leader Digital at Agoria, which is the Belgian sector federation supporting technology-inspired companies in Belgium, with 2000 member companies.
Security no priority
Luc Dooms, Board Member of leading security association LSEC, shares Schellekens’ worries. “Security is not a priority in most family businesses. Even so, it’s difficult for them to get the right IT and security people on board. There’s a shortage of skilled professionals and it’s hard to compete with big companies to get them.” Like Schellekens, Dooms fears the impact of new technologies like IoT in the manufacturing industry. “They put IoT applications into practice while not being fully aware of the risks that they pose to their organization.” Overall, he sees another point of attention. “There’s more to security than keeping your software safe; you also need to think of the physical protection of your data and devices.”
Language of the business
New technologies will always incorporate risks and cyberthreat is just one them, says Jean-Michel Lamby, Associate Partner of IBM Security. “You first need to identify those risks and then find ways to get them under control. There are solutions even today when technology is developing faster than ever.” According to Lamby, the actual problem in getting companies cyber resilient is not of a technological nature. “Often the business sees security as a barrier to innovation, not as an enabler. That’s why it’s so important to speak the language of the business and be able to correlate business and cyber-risks. This will help them to understand the added value cyber resilience is delivering to the business.” Schellekens: “You have to make the business value clear: how security helps your company stand out from the competition. This means getting other departments like the marketing department involved too, not just IT and security.”
Cyber resilient culture
The support of the board is crucial on the road to cyber resilience. “Management has to take responsibility for security, give it a sense of urgency, and make it part of the company’s culture,” says Schellekens. The human factor is key. “30 to 40 percent of all security incidents are the result of human behavior. Therefore, a code of conduct for employees is needed.” Lamby adds: “Awareness has to be created throughout the organization, and the employees in all parts of the organization have to be trained. Typically, departments like HR, legal, and PR are active on the ‘right of the boom’: they are typically involved after a major incident has occurred and hits the news and social media. This is a domain that is often less practiced and trained for.” A cyber security incident in the media is a good time to create momentum and focus the attention on the issue, according to Lamby.
Improving security awareness
Advocacy campaigns like the recent European Cybersecurity Month can contribute to the security awareness of Belgian businesses, says Schellekens. “At Agoria, we are also taking initiatives to get companies engaged. We see positive developments, but there is work to be done at all levels. Federal institutions, industries, platforms, and companies such as IBM: we need all the support we can get.” In his opinion, legislation such as the GDPR also helps companies take security more seriously. “Organizations that had their privacy under control basically had no problem in complying with the GDPR. Companies could learn from this when preparing themselves for the European Cybersecurity Act. This certification will be mandatory in three to four years, so they have to start getting ready now.”
Dooms partly agrees with Schellekens: “The GDPR has put data privacy in the spotlight, so in terms of awareness it has worked. However, it’s only legislation; there’s no elaboration on the technical and organizational implications. In my experience, this is not effective in helping organizations become more secure.” Lamby thinks security solutions should not be only based on compliance. “Security solutions should be risk-based. Many companies tend to look at the minimum legal requirements and only make sure to comply with them. Instead, they should start assessing their security risks and see what level is acceptable for their business.”
Learn more about security in the age of continuous technological innovation. Contact firstname.lastname@example.org to receive the IBM Security Summit Belgium 2019 presentations.