With the increasing development and integration of information technology in all aspects of our lives, Simon Wilcox, MD of Digital Craftsmen, considers the cyber security challenges facing Boards and Senior Leadership Teams.
Information technology is one of the most dynamic and fast-moving areas in business. The rapid pace of improvement in what IT can do, coupled with its use in the integration of just about every aspect of our lives, from business to entertainment, banking to human resources, means that trends in IT have a massive impact on each of us.
Although information technology has undoubtedly been of vast benefit to us, it also presents problems. Cyber-crime is now a trillion-pound industry, with dedicated individuals, criminal organisations and even nation states involved in using increasingly complex attacks.
To illustrate the point, here are just a few recent examples of cyber-crime:
- The UK’s postal and parcel delivery service, Royal Mail, was hit by a ransomware attack in which criminals threatened to publish stolen data.
- 14 schools in the UK had confidential details leaked online by hackers. The information included children’s special educational needs, child passport scans and teachers’ contract details.
- UK water company South Staffordshire plc reported that the bank details of some of its 1.7 million customers could have been accessed and potentially leaked on the dark web.
Enterprises of all sizes can be affected.
It’s tempting to believe that cyber-crime is an issue only for larger, stock market listed firms, but the risks are real for companies of all sizes. Whilst it’s natural for company directors to be absorbed and distracted by other priorities, including building new products, services and capabilities, the reality is that the risks of cyber-crime deserve the focused attention of directors of every size of enterprise.
Creating technical resilience does not show on the balance sheet, but it’s an intangible asset for your organisation, because without it you’re exposed to significant risk and far-reaching consequences, including data loss, financial loss, regulatory fines, reputational damage and loss of faith in your brand.
Contextually, worries about cyber-crime are pervasive. Gartner’s Board of Directors report concludes that cyber security related risk is regarded as the second highest risk for most businesses, the first being regulatory compliance risk. Yet few directors feel confident that their enterprise is appropriately protected against a cyber-attack.
The threat of cyber-crime is increasing, and so is the pressure on firms to demonstrate they are taking appropriate action. Gartner report that there is increasing regulatory pressure on organisations to better manage their cyber resilience. In 2023, organisations in regulated sectors must look to increase their cyber resilience to ensure regulatory compliance, including greater information sharing, rigorous self-assessment and continuous exercising and testing.
Gartner maintains that, by 2024, organisations that adopt a cyber security network architecture will be able to reduce the financial costs of security incidents by an average of 90%.They also note that by 2025, 40% of boards will have a dedicated cyber security committee overseen by a qualified board member.
Due diligence towards cyber security is predicted to have strategic cost benefits. Gartner forecast that by 2025, 60% of organizations will use cyber security risk as the primary determinant in conducting third-party transactions and business relationships.
So, let’s consider the challenges, new developments, problems and solutions associated with these cyber trends.
Evolution in the digital world.
Digital transformation is simply the expected evolution of our daily lives. Businesses are digitising more services, to help customers make use of technology and the internet more effectively, enabling them to make their lives simpler and easier.
It’s a natural evolution. Look at where we were 5, 10 and 20 years ago. The technology landscape is changing very rapidly. And this rate of change increases as the complexity and capability of technology grows.
Of course, we’ve had an acceleration point, due to the pandemic, but evolution in the digital world is just part of our daily lives. As the reach and complexity of technology have increased, so have the activities of cyber criminals, who recognise the opportunity provided by access to companies’ systems and customers’ data.
IT security is too often regarded as a cost burden.
Historically, IT has always been a cost and we have slowly reached the point where Boards now understand that IT can be a strategic advantage. But IT security is currently where IT development was a few years ago. IT security is too often regarded as a cost, a burden, a thing we have to do.
However, we are now at a turning point, where many forward-thinking companies are really starting to understand that technology security, done well, allows them more confidence in what they are doing. It gives them some peace of mind that they are doing the right things.
I would urge the boards and senior leadership teams of enterprises of all sizes to avoid being naïve and complacent about the risks posed by cyber-crime.
Cyber-crime is varied.
There are several categories of cyber-crime, each with serious risks. A key cyber-crime threat is a ransomware attack, in which criminals invade and occupy company systems and demand significant sums to release the system. Firms can also be the victim of phishing activities in which employees are tricked into revealing sensitive security details and company data. Other crimes include theft of personalised customer data.
Cyber-crime has become commoditised.
It’s easy to imagine that cyber-crime is what happens to other organisations, not yours. But it’s worth emphasising that cyber-crime is no longer the domain of sophisticated criminal groups. Cyber-crime has become commoditised and is available as a service. Would-be cyber criminals can buy the software needed to commit cyber-crime, on the dark web, for just a few hundred pounds, equipping them to attack vulnerable firms with ease, including data theft and ransomware attacks.
Cyber-criminals are improving their planning and speed.
A clear trend is that cyber-criminals are planning their approaches more carefully. They are actively scanning the web to understand the vulnerabilities of the software that is out there.
When they find a vulnerability that can be exploited in, say version 6.3 of a software release, then they already have a list of their target websites which are running version 6.3, and can immediately go and attack specific websites.
So, it’s a much more targeted attack compared to randomly trying a wide range of IP addresses. Attackers no longer need to ‘knock on every door’ – instead, they now know which websites are running vulnerable versions of software, so they can immediately attack you. This means that the speed with which these attacks can happen is so much faster than it used to be.
Defending against cyber-crime.
Education and collaboration are key elements of the defence against cyber-crime. As part of their activities to defend against cyber-crime, we are now seeing companies (even competitors) sharing data security insights to enable higher levels of cyber security protection across their business sectors.
They are protecting their own organisation and helping to protect their peers, which produces the wider effect of improved cyber security across the business community.
If, like me, you believe in the principle of ‘a rising tide lifts all boats’ then it’s clear that the more the business community does to raise cyber security standards, the greater the deterrent to opportunist cyber criminals.
Active protection is important.
Cyber security is vital for both large and small businesses alike. Experts are now routinely consulted for strategic and operational advice, and many organisations will have departments dedicated to protecting from attack. However, relying on technology alone for protection is not enough. Cyber security experts urge that all employees, from the top of the company to everyday workers must be educated and vigilant towards threats coming in, from things as simple as an email asking for confidential details. A passive approach to cyber security is not enough to be protected from determined and highly skilled hackers.
Specialist security support is important.
Most businesses are effective at managing risks, but they are often less effective at identifying and understanding risks. This is where specialist IT security advisers can help. Technology security specialists are able to inform company policies and procedures. Without this specialist knowledge, firms of all sizes can make mistakes in compliance or legal regulations, such as GDPR or the laws relating to cyber security. It’s very important that they have the help of a specialist to support them at all stages.
Cyber security is an alien concept to many Boards.
The chances are that your company does not sell cyber security, therefore your management team and Board might not fully understand it. You might work for a company that sells beer, you might work for an airline, you might work for a company that makes fashionable clothing.
So, you have to speak to your Board in a language that they understand. You have to be clear, and you have to be transparent. It’s important to provide them with the facts and the scale of the risks associated with cyber-crime and a clear, costed programme for mitigating and managing those risks.
The need for colleague education.
As cyber security incidents and issues become more public, everyone is more aware of spurious emails and SMS messages. Managing these, and the need for continuous education and vigilance, has to be a push down from the Board level. You have to bring everyone in your company along with you and explain the cyber security threats in ways that your people can understand. It also relies on appropriate checks and balances in your business that allows cyber threats to be identified and countered, whilst ensuring that you do not paralyse the day-to-day operation of your business.
The consequences of failing to act.
The consequences of cyber-crime can be significant. In addition to substantial, perhaps crippling, business disruption, boards need to consider the reputational impact of data losses.
Financially, there are also huge fines for businesses if they don’t properly secure or safeguard client data. Under the General Data Protection Regulation (GDPR), the EU’s data protection authorities can impose fines of up to €20 million, or 4% of worldwide turnover for the preceding financial year – whichever is higher.
In addition, directors can be held personally liable for data breaches or other data protection failures in their business, with personal fines of up to five hundred thousand pounds.
It’s simply a misconception by many business owners that cyber criminals are not interested in their commercial data and digital assets. They are increasingly a target, and forward-thinking Board members need to plan how to protect their business data and commercial future, rather than think they are not on the radar for cyber-criminals.
Six key steps that your enterprise can take to protect against cyber-crime.
Whilst it’s not possible to completely eliminate the threat of ransomware, there are six key steps that companies can take to protect against cyber-crime.
1. Organisations need to be aware of all their data assets, computer systems, and potential points of network ingress to fully understand what they have on their networks.
2. Firms need to conduct vulnerability assessments across their entire computing estate, understanding where the vulnerabilities and misconfigurations in their systems lie.
3. Businesses need to prioritise the IT machines most important to their business and devise a clear plan for patching and protecting the most important machines, in priority order.
4. Patch their machines. Many organisations understand their vulnerabilities and what threats they face, but never get around to pushing those systems patches out to resolve vulnerabilities and misconfigurations. An unpatched system is one of the most easily exploitable routes into a business network.
5. Companies need to commit to anti-virus and endpoint detection response capabilities to stop or mitigate ransomware ever getting onto their machines in the first place.
6. The simplest step is education and awareness, including teaching and continuously reminding staff about malicious links and malicious emails which can easily come into the business. This has been harder during the pandemic when people have moved away from the office, and there need to be constant reminders to be vigilant.
About the author:
Simon Wilcox is MD of Digital Craftsmen. They are established experts in cyber-crime prevention strategies and management tools.
For 20 years they have provided tailored hosting and IT security solutions to businesses across many different sectors. They have clients in FinTech, InsurTech, Retail, Transport, Government & Public Sector, Digital Agencies and Educational sectors.
Digital Craftsmen is a strategic partner of Qualys, the leading global provider of information security and compliance cloud solutions.