Research shows the most likely victims of attack however do not be fooled into thinking you’re immune.
As a cyber-security specialist I was recently asked to speak at the UK200Group Annual Conference in Southampton, the UK’s leading association of independent chartered accountants and law firms, representing more than 150,000 UK SMEs.
I am acutely aware that the financial, legal and public sectors currently attract the most cyber-criminal attention, and for very good reason. However, it would be foolish to believe that those operating in any other vertical are any less susceptible to data breaches. On the contrary, without adopting a pragmatic approach to cyber security it really is a case of when you are compromised, not if.
The most significant threats today include:
- malware that encrypts and threatens to destroy, permanently remove access to, or publicly post data unless a victim makes payment, often increasing as time elapses.
Phishing and Whaling (AKA CEO Fraud)
- A malicious attempt to acquire sensitive information by masquerading as a trustworthy source via email, text, pop-up message, or to coerce an employee into making a money transfer.
Exploitation of software vulnerabilities
- Flaws, glitches, or weaknesses discovered in software.
And, of course. the insider threat,
whether malicious or accidental, which according to research may account for more than 50% of all reported data breaches.
The CERB (Centre for Economics and Business Research) conservatively estimated in 2015 the cost of cybercrime to UK business was more than £34bn – 60% of which is attributed to direct losses through a significant downturn in business, reputational damage, regulatory penalties, fraud, business interruption, and critical data loss, the rest being the cost of recovery and remediation. Compound this with the new European GDPR regulations where fines of €20m or 4% of global turnover can be imposed, the impact could be significant. For example, it is estimated than under the GDPR Tescos could find themselves facing a €2bn penalty following the recent bank breaches.
And with the increasing development of the IoT (Internet of Things) where critical infrastructure (utilities), buildings, vehicles, and other “connected devices” are being monitored and controlled remotely by exploiting the power of the Internet and you can only imagine the disaster waiting to happen unless security is given higher priority.
So what can we do? Certainly adopting tighter technical controls internally, such as following the Government’s Cyber Essentials
initiative, would go a long way to defending against more than 80% of internet borne threats. Ensure you have adequate anti-malware deployed and up to date, your systems are “patched” religiously, your desktops are locked down and users only have the necessary access rights to be able to do their jobs, your perimeter security is configured appropriately, as well as implementing an ongoing security awareness training program to educate staff to identify potential threats and act accordingly.
As Sun Tzu said: “All warfare is based on deception. If you know the enemy and know yourself you need not fear the results of a hundred battles”. I’m not so sure in this digital age, however forewarned is forearmed.
For practical, honest and informed advice about protecting your businesses from the majority of cyber-threats feel free to contact me by email at firstname.lastname@example.org
. This may well be of particular interest to those organisations having to comply with legal and regulatory compliance mandates, and also those with one eye on the new GDPR legislation.