Are you doing enough to protect against cyber-attacks?

Are you doing enough to protect against cyber-attacks?

A recent survey of 568 organizations found that cyber-attacks are seen as the top threat to business. The risk from cyber-crime is viewed as worse than other threats such as IT outages, terrorism, supply chain disruption and adverse weather.

How are businesses responding to this threat? Unfortunately, many organizations are failing to adopt a strategic, evidence-based approach. Around 26% of organizations do not carry out long-term trend analysis to identify risks, and one third (33%) of those that do complete trend analysis fail to use the results.[i]

What is a cyber-attack?

There are numerous routes into a company’s computer systems. For example, malware and viruses exploit weaknesses in a system for a malicious purpose, such as disrupting operations, stealing data or taking control of a system so ransom payments can be demanded.

An attack might come from an organized criminal gang seeking financial gain, or simply from someone with hacking abilities who feels like causing chaos. The damage might be caused immediately or the attacker could lurk for long periods, observing activities and stealing data undetected.

A 2015 cyber-bank heist reveals the growing sophistication of the threat. Interpol, Europol and Kaspersky Lab identified that a cyber-criminal group known as Carbanak had penetrated the computer systems of more than 100 banks around the world.

Targeted emails sent to staff members with an infected Word document opened the way for hackers to enter bank systems for between two and four months. The criminals were even able to access internal bank security cameras, revealing habits and working patterns of employees. Carbanak made an estimated $1bn (£760m) from the attacks, costing each organization up to $10m (£7.6m).[ii]

Why cyber-attacks are on the rise

For the second year running, cyber-attacks have been identified as the top threat in the BCI Horizon Scan Report, which polled 569 organizations in 74 countries. Use of the internet for malicious attacks also tops the chart of top five trends and uncertainties. A substantial 85% of business continuity managers were worried about cyber-attacks and 80% were concerned about a potential data breach.

It is hardly surprising that cyber-attacks are growing in volume and audacity. The average cost of a breach has grown 14% in the last year; it now stands at around £4.1m [iii]. High-profile attacks on UK brands such as TalkTalk have raised the profile of this form of threat, but awareness about the risks faced by small and medium-sized enterprises (SME) trails behind.

The threat against SMEs

Cyber-attacks cost UK SMEs £34.1bn in the past year, according to research by business internet service provider Beaming. Despite the threat of cyber-crime, only 44% of SMEs have put in place basic protection systems to guard against attacks.

Criminals know that SMEs tend to have weaker cyber-security than large companies, which is why attacks on smaller businesses are on the rise; cracking a handful of smaller organizations can be quicker and easier than attacking one large one.[iv]

Allocating resource to fight cyber-crime

In an ideal world, C-suites would take decisions about resource allocation based on factual analysis about the probability and potential for financial and reputational risk posed by each type of threat. Unfortunately, executives sometimes respond more strongly to graphic news reports than to hard data, allocating disproportionate resource to high-profile risks such as terrorism.

Long-term trend analysis is one of the best ways to ensure that resource is allocated to address risk in an appropriate way, but many organizations have yet to embrace this approach wholeheartedly. Some 26% of organizations do not carry out longer-term trend analysis at all, while 33% of those who do carry out trend analysis do nothing with the results.

Smaller organizations are less likely to carry out trend analysis

SMEs are a significant 58% less likely than larger businesses to use trend analysis to assess risk. Three quarters (74%) of big businesses utilize trend analysis as a tool, giving them the advantage in identifying cyber and other threats.

While small businesses are less likely to allocate resource to trend analysis and develop business continuity plans, cash-strapped public sector organizations are also scaling back investment. Sectors such as education, health and social care and public administration are expecting to cut their budgets by up to 20%. In contrast, private sector firms in areas such as manufacturing, retail and IT intend to boost spending by 30-42%.

The role of ISO 22301 in addressing key threats

The international standard ISO 22301 focuses on business continuity management systems. It provides a framework for organizations to show its customers, partners, owners and stakeholders that procedures are in place to ensure a disruptive incident can be overcome with minimal damage to the business.

ISO 22301 and its underlying principles of organizational resilience are important tools in helping businesses prepare strategic and robust responses to the challenges facing them, such as cyber-attacks. The ISO 22301 certification process helps organizations become more agile and flexible in their management systems, which can bring all-round benefits.

For example, reviewing a business’s IT continuity planning systems might highlight an issue with access control and how the profiles of former employees are closed on their leaving. Gaining greater clarity about who has access to different levels of information will help to reduce the risk of cyber-attack, and could have the side benefit of making the system easier and cheaper to manage.

An added problem: the shortfall in cyber-security experts

There is an extra complication that hinders organizations, especially smaller ones, from tackling cyber-crime head-on: the difficulty of recruiting cyber-security personnel. A recent report by Intel Security and the Centre for Strategic and International Studies (CSIS) found that 75% of IT experts perceived there to be a shortage of cyber-security talent in the UK. The number one skill shortage is in-threat analysis.[v]

This shortage clearly makes it harder for organizations to combat cyber-security issues. The lack of skilled professionals pushes up salaries, making it more difficult for SMEs to afford to employ specialists. It also makes replacement of outgoing employees more difficult, potentially leading to gaps in security coverage.

The future: growing risk and the Internet of Everything

The threat of cyber-attack is set to grow in coming years, not least as cloud-based services, mobile computing and the Internet of Things increase the volume and depth of data that criminals can target.

As businesses become more and more reliant on automated systems to carry out their everyday operations, the potential for hackers to exploit cracks in the system will also increase. This ‘Internet of Everything’ – a world in which everything from government functions to business operations and personal relationships are conducted using the internet in some form – offers new risks as well as new opportunities. Is your business well placed to navigate the new world?