With the recent hack Ebay attack, cyber security is once again brought to the fore.
Duncan Brown, Director at Pierre Audoin Consultants has kindly written a piece on the different types of cyber security challenges that companies are facing, regardless of the size of the organisation.
Cyber security was one of the most hyped technology subjects in 2013, and it continues to grab the headlines in 2014. But there is substance behind the media headlines: cyber incidents continue to grow year on year, with little signs of slowing. Organisations are faced with protecting their businesses against cyber threats, but do they really understand the challenges they face?
There are three broad categories of cyber security challenges facing all sizes of organisation. The first of these is the expanding threat landscape, the attacks that are so often described in the media. Few organisations had heard of ransomware 12 months ago, but many have recently discovered its existence, in a painful and expensive way. And over half of Internet servers were exposed to the Heartbleed vulnerability, recently detected but in existence for over two years. The sophistication and determination of cyber criminals to exploit Heartbleed and other threats cannot be underestimated, but organisations are also exposed to internal staff threats, either through malicious insiders or, more usually, lack of awareness of basic information security.
Businesses need to maintain a high degree of information assurance while leveraging the IT ‘megatrend’ technologies of social, mobile, analytics and cloud. Each of these technologies offers substantial productivity and cost efficiencies for all sizes of organisation, but each of them also introduces security vulnerabilities. Managers need to understand how to implement these technologies in a secure way without compromising the benefits to be gained. Security technologies can be guilty of negatively affecting system performance and usability, so careful consideration needs to be taken when deploying such measures. Security should be built in to new systems as they are designed and implemented, not bolted on as an afterthought.
The second main challenge for businesses is to comply with an increasing range of regulation and legislation. All companies are subject to the Data Protection Act, which requires businesses to protect personal data from loss or misuse. Importantly, the legislation will soon be even more rigorous, as new EU laws are in preparation. This increases the requirements for data privacy, enabled by cyber security, and it also increases the financial impact on organisations for non-compliance: potentially up to five per cent of global revenues. This level of fines should get the board’s attention, as will mandatory and public breach notification. Non-compliance with regulations affects public perception and reputation, the financial impact of which may be greater than even the fines levied by the regulators.
The third challenge facing businesses is that, as the cyber security imperative grows and becomes more complex, the demand for professionals with a suitable expertise rises. There are, quite simply, not enough cyber security experts around to fulfil all the demand today, and this situation will only get worse in the next three years.
So what is a business to do, given the increasing threat landscape, new impending regulation and a paucity of suitably trained experts?
Firstly, there are many sources of information and advice that provide guidance for free. For example, the government’s Cyber Streetwise campaign, aimed mainly at smaller businesses, provides some practical information and guidance on how to make business more secure. The government understands the importance of cyber security to the UK’s economy, and so has been active in communicating both the dangers of cyber threats and preventative action for several years.
The next thing to realise is that there are many solutions that address most of the threats we are facing, although this is a never-ending battle between the good guys and the criminals. Increasingly, these technologies are being hosted in the cloud, making it easier and cheaper to implement, particularly in small organisations. The perception that cloud is inherently insecure is incorrect: many cloud providers offer security at least as good as (and often better than) businesses can implement themselves, and usually at much lower cost. Many companies are also using Managed Security Services as a way of outsourcing their security requirements, and this is a good way of acquiring both technology and expertise at an affordable cost.
Companies are also increasingly looking at cyber risk insurance as a way of mitigating potential losses. The most effective insurance providers offer not only protection against financial liability but also offer advice and services covering incident response and re-mediation. At a time when many commentators predict that a cyber breach is inevitable, taking out insurance seems a pragmatic and responsible approach to take.
There is no doubt that cyber security is hard, and getting harder, as the threat landscape increases and skills shortage exacerbates, while organisations seek to implement new technologies. What ever their approach to solving the problem, by using technologies, services and by taking out insurance, there is one thing that businesses must not do. And that is, to ignore the problem.