Five tips to reduce cyber risk this Cyber Security Month
October sees the return of National Cybersecurity Awareness Month in the US and its EU counterpart European Cyber Security Month. The initiatives are a reminder of the vital role that IT plays in modern societies and the importance of keeping those systems safe and secure. The events are designed to promote best practices among both consumers and organisations, because the two are intrinsically linked. If the hospitals, banks, retailers and utilities providers we interact with are breached then critical services they provide may be disrupted and/or large volumes of customers’ personal data is stolen.
It’s no surprise that the World Economic Forum (WEF) recently revealed cyber as the biggest perceived risk of doing business for executives in North America and Europe. So what can organisations do long-term to insulate themselves from growing threats?
Cyber crime is a highly professionalised industry today, worth in the region of $1.5 trillion annually, according to some estimates. The underground economy driving the sector is a vast global network of dark web forums and marketplaces, cybercrime gangs and lone operators. Each has a distinct role to play in the ecosystem, and IT literacy is not even a pre-requisite, thanks to off-the-shelf toolkits and “as-a-service” offerings.
Thanks to this global cybercrime economy, modern cyber-threats have evolved and expanded to the point that IT security teams now have to contend with everything from info-stealing malware and banking Trojans to fileless malware, phishing, Business Email Compromise, ransomware and crypto-jacking.
At the same time, organisations are looking to digitally transform their services to become more nimble and customer-centric. This puts them at greater risk, as the attack surface expands to include new cloud, mobile, social and IoT infrastructure which may not be adequately protected. Cloud misconfigurations alone are a massive challenge, with hackers increasingly adept at scanning for and stealing or ransoming unsecured online data stores. In August, hackers claimed to have stolen 700,000 customer records from hospitality chain Choice Hotels thanks to an exposed MongoDB instance.
Raising the stakes
At stake for companies is their hard-won corporate reputation and financial prosperity. The average cost of a data breach now stands at over $3.9m globally. The risks multiply further in the context of IoT compromises, which could affect physical processes to disrupt operations and potentially put staff and customers in danger.
The bad news is that organisations are struggling to cope with such threats. Insurer Gallagher recently reported that 1.4 million UK businesses were hit by major cyber-attacks last year, costing them a combined £8.8bn. A quarter (23%) of responding SMEs (23%) warned that they’d survive for less than a month if a crisis meant they were unable to trade, leading the insurer to estimate that 57,000 UK SMEs could be at risk of collapse in 2019 if hit by a serious cyber-attack.
A report from insurer Hiscox earlier this year also sounded the alarm bell. It revealed a sharp increase in reported cyber-attacks year-on-year among small firms (from 33% to 47%) and medium-sized businesses (36% to 63%) in Europe and the US.
Time to act
The difficult question facing smaller sized organisations is how to mitigate the growing risk of cyber-attacks to preserve the value of digital transformation efforts. One of the EU’s CyberSecMonth themes this year is of cybersecurity as a shared responsibility, and it’s a message more SMEs need to absorb if they’re going to succeed. Security isn’t a one-off, tick-box item that can be sorted before moving on to the next one: it’s a continuous journey. Here are five ways to begin that journey.
1. Improve security awareness programmes
Employees are often referred to as an organisation’s weakest link. But with the right kind of training they can become a formidable first line of defence. Phishing simulation exercises are a great way of doing this, to test the ability of staff to spot suspicious messages and feed back on their scores.
2. Look to the future of security technology
Security is an ongoing arms race, so it’s important to ensure your organisation has the tools at its disposal to combat the latest innovations from the black hats. AI-powered features can, for example, better analyse and detect suspicious emails which may indicate phishing attempts. As always, it’s important to cut through industry marketing hype, so find a provider you trust and try to consolidate on the one platform, to reduce management overheads and security gaps.
3. Follow best practices
This should be a no-brainer, but so often organisations are found wanting after making basic security mistakes, such as cloud misconfigurations. The Capital One breach that affected 100 million consumers is said to have come from a series of mistakes including the misconfiguration of a web application firewall and excessive access permissions granted to staff. Best practice frameworks such as those produced by NIST and the ISF are great places to start. They cover things like encryption for sensitive data, continuous network monitoring, risk-based patch management, multi-factor authentication, and regular back-ups.
4. Aim for security-by-design
As mentioned, it’s not good enough to train your staff how to spot phishing emails. Best practice security needs to flow from the top-down. This is not only because time-poor senior executives are among the most exposed to BEC and phishing, but because major investments in security need board-level buy-in. Regulations like GDPR and the NIS Directive call for this “security-by-design” culture, but it can be hard to achieve and will take time. CISOs can play a vital role in promoting such initiatives.
5. Watch your supply chain
Most modern organisations are part of a complex web of global suppliers. Each of these partner and contracting organisations represents a security risk in its own right. GDPR is very clear that the buck can no longer be passed down the supply chain after a breach: that means security teams must become more accountable by auditing their partners and incorporating strict security standards in their contracts.