Cybersecurity: Are you at risk?

Growing risks

Fears of a so-called ‘black sky’ cybersecurity attack capable of knocking out power for weeks were stoked recently when UK Defence Secretary Gavin Williamson alleged Russia had been spying on the UK’s energy infrastructure and could cause “thousands and thousands and thousands” of deaths if it crippled power supply, according to an article in The Daily Telegraph in March. This followed accusations from the United States that Russia was behind a campaign of cyber-attacks targeting the US power grid.

While we are not all likely to be plunged into darkness just yet, and there may well be some political point-scoring going on, it is clear cyber risk has taken on a far more serious and sinister tone in recent months. However, the potential for country-wide attacks shouldn’t overshadow the breaches occurring every day to businesses of all sizes in all industries around the world.

Cyber incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017, according to the Online Trust Alliance (OTA), an Internet Society initiative promoting the evolution of the Internet for the benefit of people throughout the world. Since the majority of cyber incidents are never reported, OTA believes the actual number in 2017 could easily exceed 350,000. The Online Trust Alliance is an initiative within the (ISOC), a global non-profit with the mission to promote the open.

“Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” according to Jeff Wilbur, director of the OTA initiative at the Internet Society. Commenting on the OTA’s website, he says: “This year’s big increase in cyber attacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack”.

Banks in particular seem to be taking the cyber threat seriously. In a 2018 Risk Survey sponsored by Praxity participant firm Moss Adams in the US reveals that 84 per cent of executives and directors of US banks with above $250 million in assets regard cybersecurity as a top risk concern. For the fiscal year 2018, these banks budgeted an average of $200,000 on cybersecurity expenses, including personnel and technology.

Cyber threats to all businesses

The question for most is how to minimise the cyber threat, and more importantly, how to do it when resources are already stretched? The cyber challenge is particularly tough for small and mid-sized businesses without the money of multinationals but just as vulnerable to attack, according to the new 360° Cyber Risk Survey report by US accounting firm Aronson, a participant in Praxity Global Alliance.

The report makes clear that “as larger companies continue to make massive investments in increasing their cybersecurity measures, middle-market and small businesses are becoming a greater focus for cyber criminals. Many middle-market organizations lack the budget, resources, processes, and technology to effectively defend against a harmful breach. Considering the gravity of potential breaches, middle-market organizations need to do more to confront and mitigate cyber risk – before they face financial losses and reputational damage.”

Aronson Partner Payal Vadhani, co-author of the survey report and head of the Cybersecurity, Risk and Compliance practice, says small and mid-sized businesses are especially vulnerable as they don’t have many of the security measures found in large companies. She explains: “They have to worry about perpetrators breaching their network through network devices or back doors, as well as employees knowingly or unknowingly handing out information to the attackers”.

The Aronson expert acknowledges that risk is being treated more seriously by smaller companies, but she suggests it is not being addressed in the right way.

“The nature of the issues facing different sized companies in various markets are very different. Cybersecurity is not ‘one size fits all’. It all depends on the company and its industry. What I see in the mid-market sector is that companies know about cyber risk. They are thinking about it but are really struggling to find the budget for delivering security measures. There is IT spend to keep the lights on but not much on protecting data and the particular requirements of the market they are in. Most of our clients in the Washington, DC area are in government contracting services, healthcare and finance, and they have specific issues that they have to address.”

Multinationals open to attack

Despite generally having more money to throw at cybersecurity, global businesses are frequently victims of damaging cyber attacks. The reason, Payal Vadhani says, is they are not addressing all the risks they are exposed to.

“They have spent millions of dollars on defence in depth but they are finding out it is not as watertight as they would like it to be. There are lots of different reasons for this. It could be a range of issues from the availability of services and information for companies such as internet service providers, Twitter and Netflix, or ransomware or data breach for other companies. These issues are connected to a myriad of different things such as personal devices, cloud services, ageing infrastructure, and humans, who represent the weakest link.”
Simple oversights can make a business highly vulnerable to attack. The Aronson cybersecurity expert adds: “I know of some cases where administrator IDs are in a publicly accessible file which are in plain text and not encrypted”.

Minimising the risk

Amazingly, the OTA calculates 93 percent of all breaches in 2017 could easily have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognise phishing attacks.

It comes as no surprise, therefore, that the Aronson survey report reveals alarming gaps in the way cyber risks are managed. Just over half of mid-sized business respondents said policies to protect sensitive information were not implemented while 36% said their organisation did not conduct security awareness training.

Payal Vadhani says organisations should, at the very least, put in place an incident response plan on the steps they need to take to contain and recover from cyber incidents, backed by cyber insurance policies and awareness training.

Cyber compliance

Failing to address cyber risk doesn’t only increase an enterprise’s vulnerability to attack, it could also land an organisation in hot water in terms of compliance. The General Data Protection Regulations (GDPR), which come into force in May 2018 in the EU, could result in a fine of up to 4% of global turnover or €20 million, if breached.

The EU regulations place important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. This is another aspect of security awareness training that should be considered by organisations offering goods or services to, or monitoring the behaviour of, EU data subjects.

Holistic solution

To overcome these cyber challenges, Aronson says cyber risks must be addressed holistically. Its report states: “Risk mitigation strategies must be devised, which demand stakeholder engagement from the board-level down to frontline staff members. A multi-pronged approach that leverages technology, education, and cyber insurance should be contemplated to achieve cybersecurity programme resiliency and effectively combat cyber threats.”

Payal Vadhani suggests: “A customized cybersecurity program based on industry type, business needs, regulatory requirements, and specific business and cyber risks is worth exploring as data is becoming the new currency”.

Managing cyber risk is no easy task, and is constantly evolving, but a clear strategy rolled-out across every department, coupled with awareness training for every single employee, would go a long way to addressing vulnerabilities.

Doing nothing isn’t an option, she says. “Cybersecurity is a journey, and not a destination. It’s important to start taking baby steps in the right direction. With focused and concentrated efforts, companies can improve their cybersecurity posture over a period of time.”