In business, making assumptions is dangerous – yet it’s a behaviour that is putting organisations in hot water time and time again. Let’s take cyber security for example. Many business leaders assume they are not going to be a victim of an attack. They have a romantic vision of attackers solely focused on high value targets because, more often than not, only attacks on large, well known organisations are reported by the media. However, this couldn’t be further from the truth.
Every business is, and will be, on the receiving end of a cyber-attack at some point. The consequences could be damaging and, in some cases, irreparable. Shipping giant Maersk, for example, suffered badly from the NotPetya malware outbreak in 2017. It lost its data centres and had to revert to a paper based system. Ultimately, it took out Maersk’s entire business operations.
However, while significant attacks of this kind are still happening, they are not as common as we are led to believe. Rather, cyber criminals choose to use widespread, ‘spray and pray’ type attacks. These are far quicker at delivering what criminals want. Moreover, a large proportion of attacks is actually the result of insider events – employees that are unaware of the protection requirements needed for their endpoints and data, or even disgruntled employees with malicious intent.
How organisations can deal with this growing and varied cyber threat was a hot topic at this week’s Advanced World – our annual customer conference which attracted over 1,500 business leaders.
I led a really insightful panel debate with William Morrish, General Manager EMEA at Alert Logic, Talal Rajab, Head of Programme for techUK's Cyber and National Security programmes, and Rob Bruce, Head of Technology and IT Support at PRS. All of our panelists provided great insight into cyber readiness and the biggest threats facing businesses today. Here are a few highlights:
- Digital transformation by its nature is about being quick. Hackers are using the same technologies as businesses – like automation – to do things better and faster.
- According to FTSE 350 Cyber Governance Health Check, 72% of businesses acknowledge the risk of cyber threats is high but, when delving into the issue, things get worrying. One in 10 don’t have an incident response plan and, of those that do, only 57% test it regularly.
- The government has been looking at regulations like the General Data Protection Regulation (GDPR) and NIS Directive to stimulate interest in and awareness of cyber security, but with little success. In fact, European data protection agencies have issued fines totaling €56m for GDPR breaches since it was enforced on 25th
- Attention is now being turned to software with security built in mind. It means organisations can buy solutions without having to think so much about security. There is less onus on businesses and more onus on software vendors.
- However, this doesn’t negate the need to raise awareness among the board and the rest of the workforce. Security is a real mindset and culture. Any cyber security strategy must start with educating people that a company’s data is sensitive – and this education must not stop. The IT department needs to educate the board and work with senior leaders to adopt a culture of responsibility at all levels. Part of PRS’ induction programme includes cyber security awareness, which I highly encourage other organisations to adopt.
- Furthermore, invest in the right people and they can be a company’s strongest link. This means training them and enabling them to do things in a secure manner. As Talal rightly said, “don't treat them like idiots, or they will act like idiots”.
As a group, we also offered further value to delegates at the session by offering useful, free resources. The National Cyber Security Centre, for example, is an invaluable but underused resource. It exists to give organisations advice, regardless of their size or the industry they are in.
Its frameworks, Cyber Essentials and 10 Steps to Cyber Security are good stepping stones, as they are not technical, and can be used to help businesses plan for cybersecurity now and in the future. Both reinforce the importance of getting the basics right such as patching and user education.
These resources can also be used to spark conversations with IT providers who, in the digital era, are core partners in any business ecosystem and are often a weak link in the supply chain. More than ever, organisations should be working with their IT providers to find out what they are doing to help them not only digitally transform but get better at securing their assets too. What are they doing from a proactive, not just defensive, level? What insights can they bring from other customers?
There is a clear job for IT providers to do in reassuring businesses that, if managed properly, technology is secure and helps with compliance. It’s an area we touched on in a cloud security blog post towards the end of last year. Here, we explain our commitment to safeguarding personal information and how our own software solutions have been designed with security in mind.
Clearly, there is a lot for organisations to think about. It’s perhaps no wonder that, according to our latest Trends Survey, 26% are still not prepared for a potential cyber-attack. Our panel session has only scratched the surface on cyber security but if there is one take away, it’s this – get to know your organisation’s assets and work out what skills you have in-house to manage the basics. Outsource some elements of security if you need to, and look to your IT providers for support.