Nearly three-quarters of organisations have fallen prey to at least one cyber attack in the past year, according to a Business Continuity Institute (BCI) report on cyber resilience.
Phishing remains the most popular way of attacking, although the greatest concern is now ransomware. Attacks are evolving and becoming more difficult to anticipate: as criminals are starting to favour attacks which hit systems immediately which leaves victims no time to prepare. As for how to defend against cyber attack, the report suggests that good practice in organisational resilience is becoming a critical part of the defence process; and commitment from top management is vital for limiting the number of attacks.
Introducing the report, BCI chair Christopher Horne wrote that year-on-year, cyber crime tops the list of future risks in the Institute’s annual Horizon Scan report. Cyber remains an omnipresent concern for business continuity practitioners and senior management alike, he said.
He wrote: “The report shows that nearly three quarters of organisations have had at least one cyber attack in the past year, and the research has revealed how attempted attacks have risen to an all time high as criminals seek to exploit the loopholes of remote working policies employed during the pandemic. The concept of organisational resilience is one which BCI reports have discussed in detail, and cyber resilience is an area where its adoption is fast becoming crucial. Some organisations still have IT or cyber departments which function as a separate entity from business continuity and this report shows such arrangements are more likely to lead to an attack.
“One interviewee commented how “we don’t separate cyber resilience from business continuity”; an encouraging sentiment held by an increasing number of organisations. Indeed, strategic integration of cyber risk rather than the traditional approach of focusing on systemic risk is a successful strategy being increasingly adopted by organisations. Once again however, we see that it is people, rather than technology, which is the cause of most breaches. Two-thirds of organisations were impacted by phishing attacks in the past year, 25 percentage points higher than the second most common attack.
“Encouragingly, organisations are getting better at tackling the problem of phishing, and much of this is by employing the business continuity best practice of testing: penetration testing, and simulated incidents were used in nearly three quarters of organisations, and tabletop and scenario-based exercises in two-thirds. Moreover, cyber security bodies are also developing tools and techniques to help organisations develop their own monitoring programmes.”
Home mentioned the United States’ National Institute of Standards and Technology (NIST) that has introduced the new Phish Scale for companies to better understand where areas of particular risk to phishing attacks lie in their own organisations. “Nevertheless, we cannot afford to be complacent. Cyber criminals are working hard to stay ahead of organisations’ resilience efforts and are continuing to evolve their attack vectors to gain access to systems. The most feared attack by organisations is ransomware due to potential for high reputational and financial cost. Such strategic attacks do, however, ensure attention from top management which will, in turn, drive organisations to build strong defences.”
The report sets out that the recent covid pandemic has shown to senior management the need for resilience to be a strategic priority, with cyber resilience as a part of that; and recognising that people, rather than technology, is the primary reason for failure. The report goes over the cyber landscape, and the cost of cyber crime; who in the organisation has responsibility for cyber; incident detection and response; and how BC fits in.
The report is sponsored by Fusion Risk Management. Visit www.thebci.org.
