Interviews

IoD cyber report

by Mark Rowe

Cyber attacks are widely under-reported, according to a study by the Institute of Directors (IoD) and Barclays. The business body and bank predict the emergence of a ‘cyber paradox’ that could result in companies no longer trusting online storage for sensitive data.

Businesses are not taking cyber security seriously enough, the IoD has warned. Less than a third of cyber attacks are reported to police. Companies are keeping quiet even though half of attacks resulted in interruption of business operations. The scale of the threat should not be underestimated, the business body added, with over seven in ten firms saying they had been sent bogus invoices via email.

The survey of nearly 1000 IoD members showed a gap between awareness of the risks and business preparedness. While nine in ten business people surveyed said that cyber security was important, only around half had a formal strategy in place to protect themselves and just 20 per cent held insurance against an attack. As for what the authorities are doing, nearly seven in ten IoD members never having heard of Action Fraud Aware, the UK’s national reporting centre for fraud and internet crime. For the report, Cyber Security: Underpinning the Digital Economy, visit The Director website.

The growing threat of breaches will create a ‘cyber paradox’, the IoD said, meaning that although business will increasingly take place online, firms will no longer feel confident in the encryption protecting sensitive information when it is transferred. This could lead to companies resorting to old-fashioned methods for sending important data.

The report was launched on Thursday, March 3 at the IoD’s headquarters in London, with speeches from Matt Hancock, the minister responsible for cyber security; Dr Jamie Saunders, director of the National Cyber Crime Unit at the National Crime Agency; and Paul Gillen, head of the cyber security operations centre at Barclays.

Prof Richard Benham, author of the report, said: “Cybercrime is one of the biggest business challenges of our generation and companies need to get real about the financial and reputational damage it can inflict. The spate of recent high-profile attacks has spooked employers of all sizes and it is vital to turn this awareness into action. Customers and partners expect the businesses they deal with to get it right.

“As attacks become more prevalent and increasingly sophisticated, businesses need to defend themselves, know how to limit damage, and be ready to respond quickly and comprehensively when the inevitable happens. No shop-owner would think twice about phoning the police if they were broken into, yet for some reason, businesses don’t seem to think a cyber breach warrants the same response.

“Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

And Adam Rowse, head of business banking at Barclays, said: “Businesses must recognise the threat that cybercrime can pose to them, their reputation and subsequently their bottom line. With the number of customers going online rapidly rising the issue of cyber security has never been more important. Companies need to consider cyber security as critical to their business operation as cost or cash flow.

“Some of the actions that businesses can take to get cyber smart include creating a cyber security strategy, raising awareness amongst staff of the common cons used to commit cybercrime, installing software that keeps them and their customers’ details safe and keeping all software up to date. At Barclays we have implemented a range of initiatives to help fight cybercrime, from our ‘digital eagles’ who teach vulnerable people how to stay safe online to educational content such as our recently aired TV fraud campaign.”

Comment

Ross Brewer, VP and MD of EMEA at LogRhythm, said: “Businesses are increasingly being targeted by high level cyber threats, and it’s crucial that they have the defences, knowledge and skills to deflect these attacks. This report is a clear indication that cybercrime is still not being treated as seriously as it should be. Businesses may have a greater awareness of threats due to regular high-profile attacks, but there’s still very much an ‘it’ll never happen to us’ attitude. The fact is, attacks are inevitable and if you haven’t already suffered an attack, you either don’t know about it or it’s just a matter of time.

“Not having a basic understanding of where data is stored, or what happens when this data is targeted, is worrying. Reports are repeatedly telling us that cybercrime is rapidly overtaking traditional physical crime, and businesses need to make sure they are adequately protected, just as they would in preparation for a break-in. A solid security strategy is key and shouldn’t be underestimated. This should include having a full data audit, regular staff training and putting tools in place that are equipped to flag anomalous activity as soon as it happens. Cyber-attacks are inescapable, and only by combining education and awareness with security intelligence will businesses be in a position to block an attack before data gets into the wrong hands.”

Stephen Love, Security Practice Lead – EMEA , Insight UK said that the findings of this report are not unexpected. “Cyber extortion is a method growing in popularity with malicious, online criminals and businesses commonly believe there is nothing to do but pay the ransoms to ensure the security of their data and reputation. This is what is surprising – the lack of education around data security. Today, there are many different measures businesses can take to ensure their data is safe from malicious intent, but this report highlights the lack of knowledge around these measures.

“One of the most effective methods is encryption. Every organisation should be able to admit; “Yes, our network was hacked and data was stolen. However, your customer information is secure. It has made no difference to the business – reputational or financial – as we have protected ourselves so the data, if it fell into the wrong hands, is useless. It is crucial businesses assess just what portion of their data is most valuable and needs closer security attention. Not all data in an organisation would be deemed ‘sensitive.’ By carrying out a thorough assessment as to what data is uniquely distinct to the organisation, then discovering in what ways it’s at risk and putting in place security measures accordingly, every organisation can feel confident that they have the best defensive measures possible in place. If the sensitive data does end up in the wrong hands, it will be rendered useless.”

And Richard Brown, Director EMEA Channels and Alliances at Arbor Networks, says: “The fact that cyber-crime is not being reported and businesses are paying hackers’ ransoms is very concerning. It will also be a worrying thought for many customers who will wonder whether their data has been compromised.

“Attacks resulting in the exposure of customer details, such as that against Ashley Madison last year, which refused to give into hacker demands, weigh heavily on organisations’ minds. Arbor Networks’ recent Worldwide Infrastructure Security Report also revealed ‘criminals demonstrating attack capabilities’ is the top motivation for hackers – something typically associated with cyber extortion attempts.

“Although many organisations will be concerned with reputational damage and further extortion attempts, it is important for businesses to not give in and instead learn how to be better prepared for future attacks. Organisations need to be vigilant, looking out for any suspicious activity to avoid becoming a victim of an attack or a ransom. What’s becoming essential, especially for larger organisations and high-value targets, is having the ability to detect and contain threats quickly – even when they make it past the perimeter defences. This isn’t all about technology – although having the right tools helps – people and process are key in this.”

Related News

  • Interviews

    Cyber-Monday views

    by Mark Rowe

    After Black Friday – the date before Christmas when shoppers take to the internet to do their present shopping online – come…

  • Interviews

    Cyber weakest link?

    by Mark Rowe

    Don’t let your weakest link bring your business down, writes Paul Barber, an infrastructure manager from managed service provider IT Specialists. We’ve…

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing