Cyber security is never far from the news – from utility hacks in Eastern Europe to automotive security breaches in the US, the profligacy of connected devices in our modern world mean the hacking barbarians are well and truly at our gates, and the means by which they force entry is ever-evolving and increasingly sophisticated. Electronic Specifier’s Joe Bush takes a look at the main cyber security risks.
In addition, as of 25th May next year, the General Data Protection Regulation (GDPR) will provide a new legal framework for data protection in the UK. A part of which will be that organisations will have significantly more legal liability if they are responsible for a data breach.
You would think therefore, that upwardly mobile companies would be pulling out all the stops to ensure that they are cyber-savvy. However, a Government survey revealed this week that more than a third of company directors have no training in responding to a cyber attack – despite over half of the businesses surveyed claiming that hacking is one of the primary threats to their business.
Here we look at the top 10 security risks that businesses need to consider:
1. Cover the basics
Typically cyber criminals only exploit a handful of different organisation vulnerabilities to carry out hacks – why? In truth that is all they need as some of the core, simple security measures are being ignored – timely patching for example. In addition, there are some organisations that still rely solely on anti-virus for security protection. In addition, threats are constantly evolving, multiplying and mutating so it’s imperative that an organisation is surveying the cyber landscape for new dangers.
The lifecycle of devices is also becoming increasingly shorter to the extent where some, such as certain mobile phones, are almost disposable, so new devices are being introduced to networks more regularly. Therefore, it’s important that the hardware in an organisation can install new patches. An ageing infrastructure can be a breeding ground for security risks.
2. Understanding the risks
Unfortunately security risks are not always obvious and many organisations fall short when it comes to understanding their vulnerabilities. And these are not solely limited to technological risk – psychological and sociological factors are also at work, and so a company’s corporate culture, and making sure everyone in the organisation approaches cyber security in the same way, is vital when it comes to how threats are handled.
For example, an individual may be over confident in their outlook to cyber security (“If I got attacked I would know.”), or they may take more of an ‘ostrich’ approach (“There’s nothing I can do about the amount of cyber hacks so I’ll just ignore it.”). Either way, there needs to be a standardised approach for the whole organisation.
3. Cyber security policy
Further to the above, it’s vital for an organisation to have a structured policy in place to prevent attacks and a response strategy in the event that an attack does occur. Some companies may mistakenly believe that they are not at risk as they are not in the finance or technology industry for example. However, if a business is connected, it’s at risk. The chart below shows the 25 most damaging cyber attacks since 2004 and while web-based and technology companies were on the front line of attacks, there were others across multiple sectors. Indeed, only last week, second-hand gadget and video games retailer in the UK, Cex, had the data of up to two million customers stolen in an online breach.
So, prioritising a cyber security policy, and getting the workforce engaged with it, is an important step.
Help is on hand to assist in this matter. In the same way an organisation may outsource its legal or financial requirements, experts in cyber security and data protection are out there.
However, the larger the company, the slower it moves (and importantly), changes. This can impact on cyber security as it can take a long time for mitigation policies to be implemented – by which time it could be too late. Time is critical and while senior management approvals are being sought, a hacker will be hard at work. Therefore, it’s vital that company bureaucracy is kept to a minimum and cyber security policies are approved as quickly as possible.
4. Compliance and security confusion
Unless a company clearly integrates cyber security within its compliance policy, then the two are not the same thing. Just adhering to ‘company rules’ will not necessarily tick all the cyber security boxes, so it’s important that everyone within an organisation knows how to protect confidential information as part of its terms of compliance.
5. ‘You’ are the weakest link
The unpalatable truth is that many cyber security systems and strategies can fall down once it is interfered with by a piece of organic matter i.e. us. While this can take the form of some innocent practises where individuals are simply ignorant of the risks to which they are subjecting the company, there are instances where lower level employees have maliciously weakened security in an organisation due to poorly set up and monitored access privileges.
In fact, privilege abuse is the leading cause of data leaks from malicious insiders – by some distance. Even companies that do have robust cyber security measures in place aren’t always aware of the threat from within the organisation and solely focus on the battle against external dangers.
6. BYOD policy
We discussed earlier the importance of bringing everyone in the organisation in line with company cyber security policy. However, that also applies to the devices that they bring in.
Many companies have introduced a ‘Bring Your Own Devices’ (BYOD) policy to offer increased flexibility to their workforce, improved mobility and greater employee satisfaction, but how many realise the security risks they’ve opened up to their organisation?
BYOD can expose companies to malware and malicious WiFi from mobile devices and place a heavy burden on IT departments. It can also leave a company vulnerable to data leakage/loss, unauthorised access to company data and systems, plus users could potentially download unsafe apps or content. Despite this however, few organisations are increasing their budget for BYOD and there’s much more companies can do to mitigate risks such as password protection (the standard go-to solution), remote wipe, device encryption and data removal at employee separation or device disposal.
Caine Fearn, Managing Director at Frontline Consultancy, a provider of enterprise resource planning which has just launched a new mobile device management solution specifically aimed at companies who allow staff to BYOD, said: “We have launched our new mobile security solution because so many companies do not realise how vulnerable they are to data breaches by allowing staff to use unmonitored and unsecured devices. It is a common misconception that just because a mobile device is locked, data is secure. Every business will have to consider the issues behind GDPR and having the ability to monitor and control mobile device access to data will be critical for compliance going forward.”
7. Resource constraints
Cyber security is no different to any other area of a business when it comes to budget restrictions. And, if money is tight then cyber security may inadvertently slip down the pecking order for a resource-conscious organisation. Ask an average company finance director whether they want to invest in strategies to grow the business (which will achieve a relatively rapid Return On Investment (ROI)), or plough resources into cyber security measures just in case the company is subjected to an attack – for most it will be a no-brainer.
Like anything else, however, a company’s security needs adequate funding and an injection of talent in order to stay current. Otherwise the layer of security becomes thinner and weaker over time.
Unfortunately, establishing an individual who is responsible for cyber security and making sure it is properly maintained is not easy, particularly for companies for whom cyber security is a relatively new phenomenon. Hacking threats to finance institutions and traditional technology companies have been around for some time, and as such there will likely be an individual, or individuals, responsible for it.
However, the IoT is making anything and everything connected and thus has opened the door to new players in the market. White goods manufacturers for example, were not developing connected washing machines 20 years, or even a decade ago. Therefore, they have had to enter a realm where they traditionally have not dabbled, do not have experience and in some cases expertise. Cyber security would never previously have been needed, so as a result, it is unlikely that there is a department or even an individual responsible for cyber security. So this leads to the question of who should be accountable?
The shortage of cyber security specialists is becoming a real problem. In the first half of this decade the number of cyber security-related job postings grew at over three times the rate of all IT job postings. Demand is there – supply, currently, is not.
8. Training and awareness
Whether it’s the company network or a BYOD, training for both new and current employees is critical to company safety. However, just as vital is that this training is relevant to the organisation and the workforce.
An effective way of establishing this is to assess the most common file types that cyber attackers use to penetrate a system. This will in turn provide the organisation with actionable advice to include as part of the training. For example, in 2016 phishing was the number one vector of cyber attack.
9. Recovery plans
Prevention is better than cure as they say. However, it is inevitable that data breaches are going to happen so it’s imperative for an organisation to not only have cyber security systems in place, but to have a strategy that can be implemented quickly and effectively should a hack occur.
Unfortunately, research has shown that organisations that are unprepared for a security breach and have no formal plan to respond to incidents has actually increased. While resources are being spent on preventative measures, this doesn’t negate the need for a recovery plan. And without one, the time taken for businesses to get back to normal following a hack can be financially crippling.
10. Evolving risks
As mentioned before, the goalposts are constantly moving for companies that want to establish themselves as cyber secure. Risks are changing and evolving and hackers are constantly looking for more sophisticated methods to get their hands on private data.
Changing malware for example is difficult to detect so companies may need added protection layers to proactively identify and block it. Part of this is being able to spot vulnerabilities and patch them quickly. Cyber attacks are also becoming more aggressive and may result in more drastic counter-measures such as shutting down networks or disconnecting from the internet, which again will also lead to unwanted down-time. Experts have stressed that being as well armed as the hackers is the least an organisation can do. After all, an organisation needs to identify all the holes in their system, a hacker only needs to find one.