In the aftermath of various attacks on large companies and public institutions, business leaders have been posing the same question to their technology executives: ‘Could this happen to us?’
‘Yes’ is the answer. Businesses becoming increasingly computerised means they are also becoming more vulnerable to cyber security threats.
Cybercrime is an expensive threat. In 2016, it cost the global economy over $450 billion. In 2017, we’ve already witnessed a number of landmark cyber security incidents. With 230,000 computers infected in over 150 countries, the WannaCry ransomware attack has been the most notable, striking organisations including the UK’s National Health Service (NHS).
As a result, corporations need to adapt their cybersecurity tactics to safeguard company data without restricting business growth. Let’s take a look at some of the options that organisations have at their disposal:
Human armourBusinesses mistakenly treat cyber security as an IT responsibility, and presume that technological attacks must be countered by a technological defence, but this needn’t be the case.
One of the most intriguing findings from Verizon’s 2017 Data Breach Investigations Report is that 43% of cyber-attacks are ‘social’ attacks, such as phishing - when an attacker attempts to steal sensitive information over the internet by posing as a trustworthy individual. Over the course of a year in a company of 100 people, Verizon estimates that approximately seven employees will be victims of a successful phishing attack. The implications are clear: businesses need to account for the human component in their cyber security framework.
Excitement, curiosity, and boredom can all be leveraged to accomplish a successful phishing attack. In this respect, cyber security training needs to promote a permanent change in psychology and online behaviour.
Response strategyIn the wake of a successful cyber-attack, victims may be tempted to close their accounts. In this sense, a poor response can be much more damaging than the attack itself. The extent of the fallout from a cyber-attack depends on how the company handles communication and PR in the aftermath, as well as the magnitude and nature of the breach itself.
TalkTalk, the UK-based telecommunications, internet and mobile network provider, lost £60 million and 101,000 customers in a major incident last year when hackers gained access to the personal details of more than 156,000 customers. TalkTalk’s example goes to show just how destructive a poor response strategy can be.
Penetration testingAcross the security landscape, penetration testing is regarded as vital preparation for the unexpected. In spite of this, only a minority of companies apply this same theory to their cyber defences.
In cyber security, penetration testing needs to be based on a relatable business scenario, such as phishing. Although carried out in a company across all departments, a penetration test should not impact on the routine functioning of a business.
Ultimately, penetration testing exists to find weaknesses in a company’s ability to react to an attack, and asks questions including; How will employees respond to phishing attempts?
Identify vulnerabilities and form strategyOrganisations need to ascertain which of their information assets is most salient. Companies also need to ask themselves what pledges they have made to customers regarding protection of data, which will inform what cyber security measures they should employ. Companies also should draft protocols for managing and preparing for security incidents
Layered DefencesMost organisations have approached cyber security by investing disproportionately in one single area of cyber security. In reality, many vulnerabilities can be found by a motivated hacker. If customer credit card information resides in a single database, a cybercriminal would only have to breach this single layer in order to access the confidential information. Also, an employee may unintentionally create an opening, for example, an employee can accidentally e-mail sensitive customer information.
Security will be at its best when various cyber defensive processes work in collaboration. Many companies regard the elements of defence as separate entities. They neglect to evaluate how these assets can combine in order to protect the business and its most vital information.
ConclusionAs business operations increasingly migrate online, corporations will have to be innovative in order to mitigate any potential risks. Digital data, online transactions, and online intellectual property have become so pervasive that the risks of failing to take precautions could be catastrophic.
Conventional wisdom in cyber security suggests that patching systems and employing company-wide antivirus software will protect companies from attack. But nowadays these strategies aren’t enough. Because of what is at stake, security needs to be a permanent item in the diaries of business leaders. Executives must engage in an ongoing dialogue to ensure their strategy continually evolves and makes the appropriate trade-off between business opportunity and risks.
The solutions that businesses are presented with are multifaceted. In a security landscape dominated by a mixture of social engineering and technological attacks, strategies that bring into play human as well as technological defences will prove most effective.
Oz is CEO and founder of CybSafe www.cybsafe.comA former British Army and UK Special Forces Lieutenant Colonel, Oz has a successful track record of developing and leading the specialist application of intelligence, cyber and risk management capability to tackle sensitive challenges in business and government. He has extensive experience and understanding in the areas of intelligence insight, complex human networks and the human component of cyber security risk. He is also passionate about helping to reduce societal threats to stability and security by making the most of opportunities presented by advancements in technology. Oz sits on the Board of TorchlightGroup, a global counter threat company and is a keen advocate of social investment. He has worked with a number of mentorship schemes and charities that aim to help young people from all walks of life fulfill their potential. Oz was made an MBE for his personal leadership in the most complex of conflict environments.
Powered by Zimbra