Cyber Security is a very real and an increasingly omnipotent reality for both the public and private sector; with cyber-attacks becoming more evolved, the immediacy of the problem warrants a level of security previously unseen.
The misconception of Cyber Security being an IT issue is as myopic as it is commercially disastrous; because it involves people, the complexity of an insider threat ranks as the highest risk of data loss. Indeed, personal IT may be more valuable to attack than Corporate IT resources.
Sensitive data may be susceptible to breaches that can cause untold damage to brand & reputation, with exposure of client information, interests, IP, trade secrets and serious business interruption. The end result, direct & indirect financial and economic loss.
In the latter years companies are beginning to address the issues that Cyber Security raises and are taking logical steps toward protecting their systems. The key protocols being to prevent and defend; protecting data whilst mitigating risk is key to managing organisation’s privacy and ensuring the security of confidential client information. By employing prudent measures & fostering the right relationships, organisations can increase their security and minimise risk exposure exponentially.
Sadly & somewhat unsurprisingly the insider threat arises from employees & partners who’ve become compromised.
Whilst most incidents are not maliciously motivated, they nevertheless arise from people’s fallibility and misinformation. A somewhat alarming statistic is that 60% of people will put an erroneous USB drive into their system.
Targeted attacks are a different ball game completely with criminals leading industrialised attack methods, hoodwinking traditional information security. A game changer indeed, with industries in the position of having to raise their game, significantly. The number one cause of supply chin failure is IT/telecom outage, with cyber-attack at number 4.
By undertaking this 6-step risk assessment companies will receive a review of their existing capability with a roadmap that will ensure continued safe operation.
Focus on business objectives to appreciate aims and to form the “To-Be” future state Cyber Security strategy
Business Impact Assessment
Determine the potential business impact in the event of a compromise
Assessment of the Cyber Security threat & identify sources that seek to compromise the firm’s sensitive assets
Identify document security vulnerabilities in existing technology, people & protocols; create “As-ls” current position
Evaluation of remaining risk factors & the risk rating for each. Output is a prioritised Cyber Risk Register
Strategy & Roadmap
Roadmap of tactical & strategic measures to ensure ongoing defence of systems and assets
- Sept (2014) The UK gov announced suppliers bidding for public contracts would have to meet new cyber security standards
- May (2015) Aon Risk Solutions highlighted cyber risk had moved into the top 10 global threats for business for the first time
- Rory Moloney, Chief Executive, and Aon Global Risk Consulting, said: While new risks such as cyber have moved to the centre stage, established risks such as damage to reputation or brand are taking on new dimensions and complexities. The interconnected nature of these risks reinforces the importance…..”
- According to a 2015 global Private Equity survey conducted by EY, entitled ‘Positioning to Win’, a top risk highlighted by CFOs is cyber security
- Andrew Coulcher, Director of Customer Solutions, CIPS said: “This is one of the biggest issues of our time as procurement professionals we need the right tools and support to meet these challenges head on.”
- Costs of cyber security breach are estimated by CIPS as anywhere between £600k to 1.15m for large businesses or 65k to 115k for small businesses.
- The Ponemon Institute estimated that a breach in the financial services sector would cost $217 per record. For example, for Target’s 110 million records breached, the costs would be substantial enough to put a fund out of business.
UK Government ‘Cyber Essentials’ is a set of controls offering Public and Private Sector organisations a sound foundation of basic cyber hygiene measures.
- Firms such as AIG are offering incentives to businesses to become certified.
- Larger organisations, such as HP, are also beginning to demand accreditation.
- The five key controls are: boundary firewalls and internet gateways; secure configuration; user access control; malware protection; and patch management.
- There are two levels of assurance available to satisfy the requirement; ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
- Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber-attack.
- Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt
- The UK standards are based on the ISO/ESEC 27000 series, providing a basis for checking the IT security of elements in the global supply chain.
The battle against cyber threats is not a finite one, with a one solution fits all approach, nor is it a problem that can be easily circumvented, but rather a multifarious entity that organizations must continuously adapt and evolve to. Even more alarming is the advent of zero-day threats where malware agents exploit unknown vulnerabilities; this is arguably the next generation of security threat.
With cyber criminals employing yet more sophisticated strategies to displace and rupture systems, organizations must adopt a robust appraisal of the current exposure level, seek an expert roadmap to counteract key risks and an on-going system which allows for the amorphous and unpredictable nature of the threat.