Robust and resilient?
– BullGuard blogger, Steve Bell, says:
Following a spate of high profile and costly cyber incidents the focus on protecting corporate and business networks has never been so keen. Yet nailing down robust cyber security policies can seem like a distraction from core business but it’s really quite straightforward; while failure to do so can have seriously damaging consequences.
Many executives at the top of the corporate tree are often surprised by the speed at which a cyberattack can translate into business, brand and share price damage. Just ask Gregg Steinhafel, the former CEO of Target the retail discount giant, who fell on his sword a few months after 40 million shoppers’ credit card details, had been compromised in a mega cyber security breach.
The company allegedly failed to respond quickly enough to security warnings following the discovery of malware in its payment terminals. Target’s share price fell almost 14 percent over the months that followed the breach. It also hit sales with profits dragged down 46 percent in a year-on-year comparison. Expenses relating to the breach hit $146 million.
Home Depot, the world’s largest home improvement store also admitted in September that about 53 million email addresses and some 56 million payment cards were stolen in a cyber-attack. The company said it could cost around $62 million to cover the investigation with a credit monitoring service, call center staffing and other steps following the breach.
Home Depot pipped Target at the post in the infamy stakes, with what could be the world’s largest data breach. A Forrester analyst, said about the Home Depot incident: “I would think if you’re a member of the board of directors, somebody has to be the sacrificial lamb for this.”
That comment should send shivers down the spines of executives at the helm of organisations unprepared for major cyber-attacks. And there are many who aren’t prepared. EY’s (Ernst & Young) latest annual Global Information Security report which polled 1,825 executives in 60 countries illustrates that unpreparedness is a common and global phenomenon.
No insight, no chance
The survey revealed that more than a third of organisations have no real-time insight on cyber risks or what is required to combat rising threats; and that many lack the agility, budget and skills to mitigate known vulnerabilities and prepare for and address cyber security.
In a world where online channels are extremely common, networks are increasingly complex and the use of mobile devices is rapidly multiplying organizations need to face up to the reality of cyber threats. Assets that were once physically protected are accessible online; customer channels are vulnerable to disruption; criminals have new opportunities for theft and fraud.
Of course, defending and countering cyber-attacks is a complex challenge especially within the context of changing business requirements, speed to market pressures, expansion into emerging markets, business innovation requirements, budget and all the other challenges organizations face. It can be a distracting issue, but one that needs addressing.
Far reaching damage
The economic effects of cyber-attacks can reach far beyond the loss of financial assets or intellectual property. There are costs associated with loss of client confidence, the cost of ‘cleaning up’ after cyber incidents and the cost of increased cyber security and of course damage to brand and reputation in the aftermath of an attack. A case in point is Target’s 46 percent drop in year-on-year sales.
The first step in cyber protection, as the well-known saying goes, is to ‘know thy enemy.’ This is not just a reference to the various shades of cyber-attacks but importantly the points within an organisation that lead to vulnerabilities.
For instance, many companies are threatened by the speed of technological change and see this as something that can undermine their business. This needs to be countered with policies that set out actions and responses.
It’s also important to establish precisely who has responsibility for cyber defences; large organisations often have responsibilities split between different departments which can cause difficulties in not only understanding and prioritising threats but also in responding to them.
Further, how does interconnectedness affect your organization? Successful cyber-attacks on smaller firms or third party supply chains can affect the wider market. Vendors, suppliers, customers are all critical components of a successful business. But successful attacks against these can have an indirect impact.
In short, to truly protect against cyber-crime organisations must move from a reactive to a proactive position and transform themselves from easy targets for cybercriminals into formidable targets. But as the EY survey illustrates many organisations still fall short in mastering the foundational components of cyber security.
Put down foundations
The first step is to nail down an IT security policy that covers issues such as how staff can use tablets, smartphones and home computers to link with their company network. A security policy is the foundation for good security and it must be sweepingly comprehensive, identifying all vulnerabilities.
A starting point is the assessing the value of the data held by the organization and establishing whether it is of such value that cyber-criminals will target it.
Understanding the dangers
Is your organisation likely to be targeted by cyber-criminals who have a global reach, for instance, many recent high-profile attacks have emanated from Eastern European countries? Do you need to focus your cyber security through a global lens?
Are you aware that the easy online availability of Trojan source code can be used by hackers to create specific malware that targets your organisation? Do you have high-value accounts that could be of interest to hackers?
Improvements in online authentication methods, such as two-factor security, have led to malware campaigns paired with social engineering tactics, commonly through voice or email. Could your employees be a target and have they been educated about these attack vectors?
Are employees up to speed on the dangers posed by email, online adverts and social media used to deliver malware either directly via attachments or indirectly through hyperlinks to compromised web sites? Are your familiar with botnets and the industrial scale of damage that they can wreak and do you know how to protect against them?
Four basic points
These are the sorts of questions you need to ask yourself. To help focus minds exploring the following four areas will provide a good basis for a security policy:
- Information leakage – what would be the likely outcome if sensitive data leaked out of the company?
- Data leakage prevention – have you carried out a risk assessment to quantify risks and explored technology options for protecting data?
- Identity and access management – who has access to what data and how is critical data protected?
- Penetration testing – does your organisation continually assess the threat to key systems from both internal and external attack?
Cyber security used to be an issue that was exclusively the domain of IT. But we’ve moved well beyond that. Every person with a mobile device, a laptop or even sitting at a desktop is a potential vulnerability.
It’s about business not technology
Companies need to make decisions based on this. Is it ok for employees to insert USB sticks or smart phones into company computers at the risk of infecting the network with malware? Is it acceptable to allow an employee to download information without authorization?
Perhaps its makes more sense to have procedures in place that govern these and other actions; a policy that can also track devices by signing them in and out for example.
Above all, there needs to be a deep understanding that that cyber security is no longer a technology issue but also governance and policy issue, and an important matter for executives. If you still hold to the idea that cyber security is a technology issue and your security is compromised you may well be surprised by just how quickly it becomes a business issue.