Are companies paying enough attention to cybersecurity?
Naïvety towards data loss threats could do serious damage to UK businesses
Technology has become fundamental to business success. Not only does it assist employees in their roles and help create efficiencies for internal operations, it is also essential for offering customer facing solutions. As a result, cyber security needs are also rapidly changing.
It is no longer enough to invest in just physical security strategies. While a break-in at your business premises can be devastating, far more damage can be wrought by criminals bypassing your IT security. Once in, they can access valuable business or user data that if stolen or leaked can prove fatal for a company.
The general consensus is that cybercrime is on the rise. According to Action Fraud and Get Safe Online, UK firms have seen a 22% increase in cyber attacks over the past year, with reported losses exceeding 1 billion. The year also saw some of the worst data breaches in industry history, including Yahoo and DailyMotion, resulting in the loss of billions of user records.
This is a concerning trend, and there are calls for businesses to do more to protect the data they hold. The unfortunate truth is that implementing cyber strategies is difficult. They are often time consuming and can be incredibly costly, but there are many voices saying that firms ought to be taking cybercrime seriously.
The cost of cybercrime
PwC, a multinational professional services network, has conducted a significant volume of research into business cyber security practices, and has found a number of worrying trends. For example, while some UK companies demonstrate an interest in new cyber security methods, there are still far too many firms that are nave to cyber threats. As much as 18% of businesses aren't aware of the number of cyber attacks they've had over the past year, in spite of the fact that the average cost of incidents is around 2.6 million.
Richard Horne, cybersecurity partner at PwC, says there are a lot of companies that don't understand the seriousness of cyber attacks and in many cases believe cybercrime is something that won't affect them. This means when a situation does occur, they don't have the resources to be able to prevent damage, causing repercussions for future growth.
"Many organisations just don't realise how vulnerable they are. They remain in the mindset of thinking that a cyberattack just won't happen to them, but realistically we're now in a 'when not if' situation. As a result, these businesses haven't got the right crisis planning, readiness and response in place for when the inevitable does happen," he says.
"In moving towards becoming digital organisations over the last decade, many companies now don't fully understand where their data lies, what it holds and what's critical. It's also hard to know what third parties they rely on to keep their critical data and processes secure, from outsourcers to partners and staff or even clients. As many of these digitisation programs were designed without security in mind, it's common that they're now open to manipulation."
Horne insists on the importance of having the right cybersecurity practices in place, covering all aspects of a business. He says companies should consider this throughout every step of the decision-making focus. "Cybersecurity is far more than just building security controls it's about changing your organisation to be securable," he tells IT Pro.
"That requires all aspects of a business to be engaged, tough decisions at board level, and embedding consideration of cybersecurity risk in all decision-making processes. It's not just about having more budget to buy more technology to patch cybersecurity holes. UK organisations need to take a more strategic approach to how they spend their budgets to start to see a real uptick in [their] security posture."
Be prepared and develop strategies
Preparation is essential when dealing with cybersecurity threats. If companies don't have suitable protections in place, then the damage can be much worse. Anton Grashion, EMEA senior director of product marketing at American software firm Cylance, says businesses spend too much time chasing and trying to patch up attacks after they happen.
"When it comes to protecting your organisation, prevention and preparation are the best medicine. Once a breach takes place, the business cost and business risks go up exponentially, with every second of delay resulting in further harm. IT staff are often forced to drop everything to initiate a lengthy chain of discovery, analysis, verification and remediation whilst in crisis. As time ticks by, the damage continues and costs mount," he says.
"It's a reasonable question to ask why the situation doesn't seem to improve; as the industry becomes more connected, malicious actors take advantage of the vulnerabilities created by the gap between IT security and operations. What organisations are not doing very well is preventing attacks. They're spending time and resources chasing [them] into the network at which point their data has already been compromised. The balance has shifted too far from prevention to detection and remediation and it's a balance that's needed."
He adds that firms need to spend time and money creating an efficient strategy that can help them fight cyber criminals. "A pre-execution strategy is the first step in building an effective security portfolio. Identifying malicious applications before they get a chance to execute helps limit security management costs and system performance overhead," he says.
Innovating to fight cybercrime
Automation is innovating a plethora of industries, but it can also help companies fight cybercrime. Jes Breslaw, director of strategy at data virtualisation firm Delphix, says automated processes can simplify and speed up complex, timely cybersecurity approaches. In particular, it can provide data masking, a way of organising company data.
"The process of masking both production and test data has traditionally been an expensive and complex task. That means companies have found it particularly difficult to limit the risk to brand reputation and unexpected fraud or identity theft, when data has fallen into the wrong hands," he says.
"Overcoming this barrier means considering technologies that automate data masking at scale. Using data virtualisation, companies can mask data once and then ensure all subsequent copies have the same protective policies applied. This approach holds significant benefits when considering the impending EU GDPR, which is a growing security concern.
"Had the GDPR been in operation when the TalkTalk breach happened, the company's fine could have been in the region of 70 million, based on 4%t of its annual worldwide turnover. As such, taking steps to drive greater visibility and standardisation into processes such as data masking, will be paramount to future proof business against both cost and compliance implications in the coming year."
Technology is always advancing and more firms are investing in new innovation and developing data-centric processes. With this in mind, it's easy to assume cybercrime is going to disappear overnight. In fact, it'll only likely get worse. Companies need to start taking it seriously now, or they could face harsh consequences.