Cyber security attacks are becoming increasingly more common and no company or even government is protected from being targeted. Hearing about these attacks might no longer surprise us but it is now one of the top priorities for companies’ boards of directors. The LINK spoke to cyber security experts to find out what companies can do to fend off the threat of cyber attacks and whether there is a sustainable solution to put an end to them once and for all.
Even though cyber attacks have become an everyday occurrence, it has not been a threat to businesses for that long, according to Shadi A. Razak, Chief Technology Officer at London-based cyber security service firm CyNation. It is a phenomenon that barely existed two decades ago, he explained. Over time, cyber attacks have evolved from small innocent pranks by smart teenagers to organised crime groups targeting big companies, organisations or governments. That is the reason cyber security has become “one of the top five priorities of boards”, according to Razak, and why companies like CyNation have become so relevant. Razak gave an example to illustrate the character of an early attack.
He said: “In 1996, during the general elections in the UK, the Labour party website suffered a number of attacks from professional hacktivist groups like the ‘Digital Anarchists’ to young teenagers. When one of them changed the Labour Party leadership team head photos to pornstar photos. This motive was to impress a group of friends & his next-door sweetheart. Cyber threats have existed since the early days of the dot-com boom, but was not commercialised or utilised by organised crime till the mid-2000’s.”
Today, the objective of many attacks is not to humiliate or play pranks but to blackmail, defraud, espionage, conduct identity theft or just to simply cause destruction. Back in 2010, when organisations started to depend more heavily on digitalised procedures, security was not a priority, according to Razak. But he said that not prioritising cyber security “is like building your house without putting in any locks on the doors or windows”. As digitisation has increased, so has the risk for cyber attacks and Razak said that companies must keep up with the technological developments.
When asked about the most common cause of attacks, Razak answered human error. He explained: “Two things are infinite in this universe: the universe itself and human naiveté”. He distinguished two categories of insider threats, those that are on purpose and those that are not. The two combined make up about 40 percent of security incidents. Razak told the LINK about how an employee at a well-known company downloaded a video player to watch the Olympics that accidentally opened a backdoor to their IT system and ended up costing them a lot of money. Employees are not always aware of the risks and Razak stressed the importance of education as it could “mitigate 50 percent of these types of silly incidents”. Another type of security breach is when employees change jobs and take company data with them. Employees who have helped create data consider it their own when it really belongs to the company. The data is therefore compromised even if the former employee does not use it as the company cannot control the security measures on a personal computer.
While CyNation mainly works to prevent attacks, Swedish insurance company, If, helps companies that have already been targeted. Jessica Källman, PR Manager at If, explained to the LINK that computer crime insurance is automatically included in all their company deals. It includes recovery and disruption costs if an attack brings the business to a standstill. However, If, among other things, requires their clients to have up-to-date software in order to honour a claim. Razak also mentioned that outdated software is a common source of attacks and causes unnecessary risk. “With advancing technology, old systems usually have vulnerabilities and backdoors that we are not aware of that will compromise us,” he said.
Razak also highlighted an often-missing link between the board of directors and a company’s cyber security staff. He said that while security professionals talk about being hacked and how many hours the server will be down, business people need it translated into financial figures and lost profit terms. He said “The cost of a cyber attack or breach can be high in terms of business finances. Usually the cost of a breach will include all types of costs. Legal, remediation, system outages, public relation, cost of labour to recover the cost of time recovery will take, as well as the cost of materials used in the recoveries process and so on. Usually if presented the cost saving for system updating or upgrading, such as upgrading the organisation devices to run windows 10, instead of windows XP, would help the boards to make better informed risk averse decision and make their organisations more cyber resilient.” The missing link is that boards need to understand that a simple software update can save them millions in terms of cost related to standstill causing loss of sales and hiring consultants to get their systems back.
However, cyber risk is hard to calculate since it is ever-changing and increasing in sophistication. Elizabeth Marsh-Rowbotham from consultancy firm 4C Strategies agreed when interviewed by the LINK. “It is hard to quantify the unknown in terms of financial savings, meaning that preventative action is not generally resourced adequately or planned into yearly budgets.” Marsh-Rowbotham stressed the fact that it is easier to prevent an attack than to fix a system that has failed. But she said that the financial and reputational gain of preventative action is hard to get across to boards and it is only when other companies get attacked that people act. “I call it the genie in the bottle. Every time someone kicks the bottle, the genie comes out,” Razak agreed. Marsh-Rowbotham mentioned how upcoming EU regulations might help push companies in the direction of prevention. The General Data Protection Regulation (GDPR) enters into force across Europe in May 2018 and will change the requirements for how companies handle and store data and will increase the fines for any breaches. “As regulation places increased responsibility on companies to act responsibly and protect personal data there is a shift in the receptiveness of executives to consider cyber security problems,” said Marsh-Rowbotham “Ultimately, action depends on the dynamism of the board.”
Razak said that cyber security has become a top priority for management in the last two years with “35-40 percent of board members” now saying that it is “one of their top three worrying aspects”. But he also stated that the threat of cyber attacks intersects all business processes. He explained that cyber security threats can be seen as a pyramid with people at the top, business processes in the middle and technology at the bottom, meaning that cyber security must underpin all parts of the business. He said that sometimes boards are looking for quick fixes whereas the sustainable solution is much more extensive and must be integrated at all levels. CyNation often gets the question whether they can install some sort of technology that will take care of cyber security but Razak pointed out that there is no solution as such. He said: “If you exclude business processes, you will have a gap in the pyramid and people will fall over technology, which is the current status quo. People are depending on technology.”
Both Razak and Marsh-Rowbotham talked about the importance of including the entire company in the cyber security strategy to ensure that all employees are educated in order to prevent malicious attacks and accidental breaches from within. But they also stressed the importance of strategy and decisions being taken at board level. “Senior leaders set the ethos, culture and engagement levels for staff across the company,” Marsh-Rowbotham said.