'Execs don't understand how to fix cyber security problem'

While 'maniacs run around' with mobile devices, executives are aware of a security problem, but don't understand how to address it

Corporate boards understand that the issue of cyber security needs to be addressed as "maniacs run around" with mobile devices - but they don't necessarily understand how to fix it, placing pressure on IT departments.

That's the view of Heyrick Bond Gunning (pictured), managing director of operational risk management company Salamanca, which has recently started a specialist cyber security division.

"One of the biggest challenges organisations have is they've got their infrastructure internally, then they've got a bunch of maniacs running around with a whole load of data on their devices that get left on trains or wherever.

"They're now being asked by the board to tighten everything up and put their cyber procedures in place," he told Computing.

"You've got IT guys, who are not cyber security guys, who are being asked ‘why haven't you made us compliant?' And you've got IT guys who are cyber security guys, who are being told to make the company cyber compliant, but not being given the resources to do it," Bond Gunning continued.

"That comes from the fact that at board level people understand that there's a problem, but they don't understand what it's about and how to try and fix it."

Feras Tappuni, manager of Salamanca's cyber security group and formerly involved in a variety of solutions for US government agencies, pointed out that the challenges for IT managers have changed dramatically in recent years, with the proliferation of employee smartphones and tablets increasing the number of connected devices on corporate networks.

"They're dealing with so many issues that the IT manager is trying to convince his board for better funding and better understanding," he said, arguing that education is the key to overcoming the issue.

"Their real challenge is educating the team around them or the board of directors about the issues they're actually dealing with. That is a challenge that every security professional faces.

"The basics still need to be done. Ninety-seven per cent of attacks can be prevented by doing the basics," Tappuni added.

"Some of the basics could be internal training, internal awareness or the most junior staff understanding that if they've got a USB stick, use it but run it past IT just to do a quick scan on it, because you're bypassing firewalls. Just basic stuff like that," he said.