An increasing number of high-profile data breaches have taught us that how a company looks after their information and manages any incidents can make or break an organisation. This can be the difference between winning and losing business contracts.
Getting it right, however, has the ability to directly impact upon the business’s bottom line, as increased confidence brings increased share price and competitive advantage.
Emerging Threats & Risks
Being able to navigate the ever-changing Threat landscape presents a myriad of challenges for today’s modern, technologically-savvy organisation. Identifying what could compromise your assets can range from human error to environmental factors – all the way through to serious organised crime and targeted Advanced Persistent Threat (APT) campaigns.
Building up a holistic picture of the Threat landscape will enable organisations to forecast the consequences of a potential attack and act to mitigate the associated risks.
Protecting & Exploiting Information
The average estimate of breaches cost an organisation anywhere between £75,000 to £311,000 for SMEs and £1.45-3.14 million for large organisations, there is a clear business justification to foster a culture which values and protects information.
Organisations who are able to recognise the strategic value of the information they hold, and exploit their assets, are more likely to improve their ‘value for money’ potential and see benefits such as business innovation and financial revenue.
We all live in a world which is networked together, from internet banking to government infrastructure, and thus, network protection is no longer an optional extra. Cyber-attack is now an international concern, as high-profile breaches have given many concerns that hacks and other security attacks could endanger the global economy.
A cyber-attack is a deliberate exploitation of computer systems, technology-dependant enterprises and networks. Cyber-attackers use malicious code and software to alter computer code, logic, or data, resulting in disruptive consequences that can compromise data and lead to cyber-crimes such as information and identity theft or system infiltration.
In 2015, it was reported by computer security group Veracode, that defending the UK against cyber-attacks and repairing the damage done by hackers who penetrate security systems costs businesses £34 billion per year.
In August 2015, the personal attack of 2.4 million Carphone Warehouse customers, including bank details and encrypted card digits, was affected by a data breach. Similarly, in December 2015, it emerged that in the previous June, the personal details of 656,723 customers of high street pub chain JD Wetherspoon were revealed, and the data was available for sale on the dark web.
By far the biggest, and most recent data breach however, happened in October 2015 when almost 157,000 TalkTalk customers had their personal data hacked into. 15,656 customers had their bank account numbers and sort codes leaked, resulting in bank accounts being hacked. As a result, the telecoms company lost 101,000 customers and suffered a cost of £60 million.
Given that cyber-crime is worryingly regular, it is no surprise that governments and businesses are seeking elevated cyber defence strategies. In 2014, the European Network and Information Security Agency held a cyber security exercise involving 29 countries and over 200 organisations. The test simulated more than 2,000 cyber incidents including website defacements, access to sensitive informational and attacks on critical infrastructure, with software and hardware failures judged the most damaging security threats.
Cyber Crime Categories
There are two broad categories of cyber-crime, breaches in data security and sabotage. Data security breaches refers to the theft of personal data, intellectual property or trade secrets, for example, whereas sabotage usually culminates in service attacks. These attacks flood web services with bogus messages, as well as more conventional efforts to disable systems and infrastructure.
Cyber-crime is unlikely to slow down, despite government efforts and input from specialists. Its growth is being driven by the expanding number of services available online, and the increasing evolution of online criminals who are engaged in a continuous game with security experts.
With constant technical innovation, new dangers are constantly coming to the surface. For example, the migration of data to third-party cloud providers has created an epicentre of data and therefore, more opportunities to misappropriate critical information from a single target. Similarly, mobile phones are now targets, expanding the opportunities to penetrate security measures.
Protecting your business against cyber-crime or data theft is the fastest growing risk issue facing SMEs today. As more businesses move towards cloud storage this problem will become increasingly complicated, yet SMEs are increasingly failing to address this.
The bigger picture is more worrying. A recent report from McAfee and the Center for Strategic and International Studies (CSIS) on the effects of cyber crime on the economy of technology and IP driven economies such as the UK, shows that it is particularly damaging to wealth and job creation. In the UK alone, the total cost of cyber crime to the economy was £6.8bn (0.47%) of GDP meanwhile, statistics from the US show that 60% of small companies are unable to sustain their business within six months of a cyber crime attack.
The fall in the number of SMEs affected by cyber crime suggests that SMEs are investing more in cyber security prevention including staff training, establishing firewalls and securing virtual private networks. These measures in isolation are not sufficient to protect against the growing scale of cyber crime which shows that SMEs remain vulnerable as both technology and cyber criminals become more sophisticated.
Understand what is at risk
In the first instance, you need to identify the information critical to your business to understand the risk you are exposed to and how to best protect your assets. This will enable you to identify where a cyber criminal might try to access your information and help you to break down the security into manageable areas and ensure that all are adequately protected.
Supporting this should be a business continuity plan. By defining the procedures in the event of an attack, you may be able to keep parts of your business running and limit the damage. You will also need to make sure that a security breach in one part of the business will not affect another and that your data is backed up in another location so that you can access it again. Thinking of the worst eventuality will help you to think about what are the assets that need protecting and what you need to put into place to safeguard them.
Does your business need to comply with data protection legislation? If so, you will be required by law to protect this information or risk being fined in the event of a security breach, further increasing the cost of an attack to your business.
Put in place the right security controls
The starting point is that you will need to ensure that there is an enforceable IT security policy in place with guidelines around security updates, passwords, home working, social media and use of personal devices at work. This should cover use of the internet, email and telephones, but more importantly, the consequences for their misuse.
Ensure that your networks are protected from both external and internal attacks by installing high security firewalls. Anti-virus software that addresses your company’s specific needs should be implemented on all systems – off the shelf virus software will not meet many business’ IT security requirements. Encrypt all your data, particularly if there is a high use of personal devices and homeworking within your business and protect with robust passwords.
Review your security
Methods used by anti-threat software developers mirror those adopted by hackers. It can be difficult to remain one step ahead but there are some basics controls that you should adopt. By running modern operating systems that are regularly updated you can take advantage of the protection of updated security features. Regular risk assessment will also help you to respond to changing security requirements and improve internal controls.
Cyber security should be thorough and seamless, regardless or business size or organisational standing. Computer networks will forever be the target of criminals, and it can be argued that the danger of cyber-security breaches will only increase in the future as networks continue to expand. Having the right level of preparation and specialist assistance is vital to minimise and control damage, and recover from a cyber breach and its consequences.
Want to find out more about our security services?