By Derick Hughes – firstname.lastname@example.org
Has your business been a victim of cyber-crime? Even if you think you have so far escaped the attention of the hackers, how can you be sure? Cyber-attacks are not always immediately obvious. In a worst-case scenario you may not even realise that you have been a victim until your customers tell you that something is wrong. New technology has a lot to offer businesses in terms of cost savings, information sharing and solving a multitude of operational problems, but with each of these advances there has been a corresponding increase in the amount of risk to which the organisation is exposed. These risks include compliance issues, reputational issues, and perhaps most challengingly, cyber-attacks.
An Increasing Threat
Cyber-attacks are a real and increasing threat. If you have not yet been the victim there is a strong probability that you will be targeted in the future. Attacks can prove expensive both financially, and in terms of their operational effect on your business. In the 2014 Cost of Data Breach study, conducted by the Ponemon Institute it was noted that the average cost of a data breach increased 15 per cent in the last year to $3.5 million. The same study put the global likelihood of an organisation being subject to a material data breach involving a minimum of 10,000 records higher than 22 per cent. There is significant variation by country for this result with India and Brazil being the most likely countries to suffer a breach, while German organisations have only a two per cent chance of a data breach. The study also confirmed that the most probable cause of a data breach is a malicious or criminal attack on your organisation’s computer systems. It is vital for the survival of your business that adequate preparations are made now to minimise the possibility of an attack succeeding.
Why Might Your Organisation Be Targeted?
Cyber-criminals attack organisations looking for their critical assets to use either for financial gain, or sometimes for their own competitive advantage. Despite the popular image of a hacker as a teenage boy alone in his bedroom cyber-criminals today are generally well funded and highly organised. The cyber-criminal community frequently makes use of individuals who are, or have been employed in the industries they wish to target. For example, recent attacks on financial institutions have involved people employed in the financial industry. By being able to call on the knowledge and experience of those with a detailed knowledge of the systems they were trying to breach the criminals enjoyed an advantage from the start. So what should businesses be doing to protect themselves?
■ Board members need to understand the nature of the risk they are facing.
■ Ensure that there is a strategy for actively managing cyber threats.
Understanding The Risk To Information
What needs to be understood from the outset is that information has value. Information is one of the key assets of your business. It makes a vital contribution to the successful achievement of all of your business objectives. The protection of information must be placed at the forefront of your activities.
Effective Management Of Cyber Threats
Far too few businesses understand the real risk posed by a cyber-attack. There is a perception that cyber-security is something that can be managed by the IT department and not something that has implications for the company as a whole. Instead of compartmentalising cyber-security as a part of IT it needs to be remembered that just as cyber technology can be used to enhance operations across every department, so a cyber-attack has the potential to affect every department of the company. There are also the less quantifiable effects of a cyber-attack that would have company-wide implications. These would include intellectual property rights concerns, the damage incurred to company reputation, and the potential fines imposed as the result of a security breach.
Treating cyber-security just as an IT issue is a potentially disastrous mistake. IT staff may be highly qualified and skilled at their jobs but they do not have the required remit to look at the risks from a company-wide perspective. Decisions must be taken on cyber-security at a boardroom level, and implemented across the company if the issue is to be adequately addressed. Cyber threats can never be removed, they will always be present in today’s business environment but it is possible to minimise the potential for an attack by adopting an organisation-wide strategy for managing cyber-risks. The strategy needs to do four things:
■ Identify and track key threats as they emerge, and monitor the organisation systems and procedures to ensure they are protected from all known threats.
■ Identify the organisation’s key information assets that may be targeted in any cyber-attack. Effectively manage these assets to reduce associated risks and enhance the security of the assets.
■ Effectively track digital information. Be aware of who has access to information and what access-rights they have. Before sharing valuable information with third parties ensure that systems are secure and not liable to be breached by an attack.
■ Plan for any post-breach investigation. In an ideal situation all cyber-attacks would be unsuccessful, but even with the highest level of security it is always possible that an attack may succeed in gaining access to your information. If this occurs there must be a recovery plan in existence which can be implemented quickly. Restoring your system’s security and reassuring your stakeholders that their data is now secure must be your top priority as soon as any breach is identified.
Once such a strategy is implemented it is important that it is regularly reviewed to ensure it remains relevant and able to cope with any changes to either the organisation’s structure or the potential for attack. The state of the organisation’s security should be checked, and reported on regularly at board level. It must be the responsibility of the board to ensure that security is not just maintained but is constantly improving. Technology is not standing still and as technology advances, the potential for attack in new ways also increases. The only effective means of combating the threat of cyber-attack is to be constantly improving both your systems and your operational procedures to make sure they are operating at the highest possible level.