The latest PwC UK Information Security Breaches survey reveals that the elephant in the room in cybersecurity is the ‘human factor’, it’s claimed.
The annual survey was released on the opening day of the three-day Infosecurity Europe conference and exhibition at London Olympia, pictured. More in the July 2015 print issue of Professional Security magazine. Briefly, the survey found that large and small organisations are seeing breaches of their IT and computer systems, and such incidents are now a near certainty. The cost – whether in putting the breach right, or the theft of data or disruption to services – is rising too. As for the cause of the breaches, while malware is still out there, malicious software is less often the reason; it may well be due to people – in error rather than out of malice – rather than a computer virus.
PwC’s Richard Horne, Andrew Miller and Chris Potter went through the research at the show. It suggested that 90 per cent of large businesses and 74pc of small to medium sized businesses (SMEs) had experienced an information security breach in the past 12 months. The cost to SMEs of an information security breach could, PwC’s research indicated, range from £75,000 to £310,800.
Andrew Miller, Cyber Security Director at PwC, said: “With nine out of ten respondents reporting a cyber breach in the past year, every organisation needs to be considering how they defend and deal with the cyber threats they face. Breaches are becoming increasingly sophisticated, often involving internal staff to amplify their effect, and the impacts we are seeing are increasingly long-lasting and costly to deal with.”
Ciaran Martin, Director General of Cyber Security, GCHQ opened Infosecurity Europe 2015 with a speech. Martin advised the audience that the cybercriminals targeting UK organisations were motivated by “Power, Money and Propaganda”, remarking that changes in technology were yet to change human nature.
He went on to say that GCHQ has been “genuinely surprised by the extent and variety of UK organisations subject to intrusions,” adding that organisations could tackle cybersecurity by “think[ing] about what makes you attractive as a target.” He also told UK organisations not to focus on “stopping attacks always and everywhere” and instead adopting an approach that involves protecting “what you care about most”.
Later David Jones, Head of Information Security at the BBC, and Andrew Rose, Head of Information Security at The National Air Traffic Service, discussed the importance of fostering a company culture where information security is everyone’s responsibility.
Comments
Adrian Davis, MD of EMEA at (ISC)2, the US-based IT industry body, said: “The revelation that human error caused 50 per cent of the worst security breaches in 2015 and that three quarters of large organisations suffered staff-related breaches, shows that there is still a ‘people problem’ that many organisations are failing to address. The rise in outsourcing also indicates that companies are seeking to offload their cybersecurity responsibilities to others rather than ensuring that their in-house staff are equipped with appropriate security knowledge.
“This has resulted in basic attack methods being successfully utilised to penetrate large organisations through their employees. (ISC)²’s recent global survey of the information security workforce found that phishing attacks – hoax emails that dupe people into downloading malware – are still the most common threat technique used by malicious actors.
“Even worse, over a third of all cybersecurity investments are used for technical controls, while only a quarter of companies plan to invest in training staff. This indicates that businesses are falsely reliant upon security technology instead of investing in vital staff education and training. No matter how strong your technical defences are, poorly-trained employees have become a prime gateway for attackers to get in; and the complacency around awareness training is exacerbating the security breach issue.
“There is plenty of guidance and resources being made available to help with this task including, but not limited to, the UK government’s Cyber Essentials and 10 Steps schemes – which are intended to help organisations protect themselves against cyber attacks and educate users. Companies train staff to protect themselves in the real world with health and safety training. They need to treat information security in the same manner by teaching employees safety in the virtual world.
“The rise in BYOD [bring your own device] offers more opportunities for malicious actors to attack organisations through their staff, reinforcing the urgent need to teach employees about cybersecurity. Too many companies still treat cybersecurity as a niche specialism closeted away in the IT department or outsourced to professionals instead of giving the topic the much needed attention it deserves by educating all company employees. The estimated £500,000 lost in regulatory fines, compensation payments and the massive business and reputational damage unveiled in the survey offer a new imperative for businesses to change their approach to cybersecurity.”
And Rob Lay, Customer Solutions Architect at Fujitsu UK, said: “The news that cyber-attacks on British businesses are now almost inevitable comes as no surprise. Businesses have to recognise that they need to position themselves so that they can respond quickly and effectively when an incident happens and that they return their business to a normal mode of operation as quickly as possible.
“This requires focus in multiple areas, and taking a risk based approach that is aligned to the business strategy will help companies to achieve this. It should include looking at what critical assets need protection, what security controls and processes already exist within the business, the maturity of those controls, and ensuring that a security strategy exists that supports the broader business strategy.
“With studies revealing that nearly half of the worst security breaches were due to an element of human error, it is also vital that businesses educate employees of the dangers posed by security threats. A good place to start for businesses is having an intranet site that can deliver regular security updates and advisories for employees, and have security champions spread throughout the business. It should also include security awareness training for both new and existing employees, and this ought to include contractors who will be working within the enterprise as well.
“By following this approach, it will help ensure that businesses are able to keep pace with the rapidly changing threat landscape, position themselves to effectively recover from security incidents, and target future investments and developments in security to those areas that need it most.”
David Emm, Principal Security Researcher at Kaspersky Lab, spoke of an urgent need for companies of all sizes to implement a strong cyber-security programme. He said: “Step one: know the risks. If your organisation has never faced a cyber-attack, it’s easy to assume that ‘it won’t happen to me’, or even to think that what we hear about malware is just hyperbole disseminated by the media. However, all organisations hold data that could be of value to cybercriminals, and so any organisation could be a target; even if they are just used as a bridge for cybercriminals to access other companies. This is why it’s imperative that businesses of all categories and sizes recognise that the threat is out there and advance a strategy for combatting cyber-attacks.
“This strategy, and the policies that come with it, must address a number of elements; it must contain an accurate assessment of the dangers, the methods cybercriminals could utilise to infiltrate corporate systems, the tools required to mitigate the risks and actions necessary for handling the human element of security in the company. It is imperative to educate all staff on security policies – most of the time attacks start by deceiving people into doing something that endangers corporate security. It’s crucial to clarify security problems and explain them in an easy to understand manner. This means varied forms of communication (written and verbal), as well as including the usual list of dos and don’ts as a guide for staff to follow. Companies often put policies in place and have staff sign a one-off agreement of understanding, but then fail to ensure this is monitored with systematic awareness and education sessions that make imaginative use of various tools to ensure security is always front of mind.”
For the survey in full visit https://dm.pwc.com/HMG2015BreachesSurvey/.
