If recent cyber-attacks are anything to go by, cyber-criminals are capable of causing colossal damage to organisations of all sizes. With vital public services such as the NHS succumbing to attacks, it seems that nothing is off the table when it comes down to cyber-criminals deciding who to target. However, according to some reports, the C-suite isn’t sweating over the potential of an attack or the financial fallout if such an attack is successful.
According to one report covered by City A.M., just one third of businesses in Britain have a financial strategy prepared should they become the subject of a cyber-attack. What’s more, only half of companies actually discuss the possibility of a cyber-attack at board level, according to research from Lloyds Bank.
Business leaders must think beyond simply signing off budgets for safeguarding software and physical hardware. They must also consider the financial consequences of a potential attack, including the seemingly far-fetched but increasingly likely concept of paying a ransom to regain access to systems in the control of cyber-criminals, or to release data that cyber-criminals have swiped from their systems.
On the former, the survey suggests one third of companies would pay such a demand to unlock their systems. But aren’t you just opening the door to even more attacks in doing so? Even if you were willing to stump up the money, how much would you be prepared to pay and has this amount been insured for? Only a quarter of those surveyed by Lloyds Bank had policies covering such scenarios.
Though the problem remains that these ‘cyber insurance’ policies simply don’t cover everything – how could they when the threat landscape changes daily and it is an immature market for insurers? And when hackers have locked your systems and threatened to delete data if you don’t hand over money, the decision on whether to pay or not can be a tough call; risking huge reputational and day-to-day damage, even putting lives at risk in some cases.
You only have to look at last year’s NHS cyber-attack and the recent attack on the city of Atlanta’s servers to imagine the fallout and destruction that could ensue. Of course, the best form of defence is a proactive defence, especially when cyber-attacks are getting far smarter at outwitting the checks and balances many currently have in place.
The biggest source of infiltration by criminal malware is email and all it takes is one member of staff to click on a seemingly innocent attachment in an email that appears to have been sent from a known email contact. In fact, 74 percent of all successful malware and ransomware attacks find their way on to IT systems and to sensitive data through email attachments. Being that email is the lifeblood of organisations, it can’t simply be switched off to safeguard the business from attacks.
This does not mean your current security technology is entirely useless, but it does mean you must continually analyse its ability to protect you and ensure every border is protected. We’re still witnessing companies applying a one-size-fits-all approach to cyber security, as if it’s simply another tick-in-the-box exercise. This is a grave mistake. Every border needs innovative technology in place to keep threats at bay because the traditional anti-virus methods cannot keep up with the dynamic threat landscape that we see today.
But how often would a company run education sessions for employees to ensure they know what they should click and what they shouldn’t? The old adage of ‘if it looks too good to be true, it probably is’ still has value, but cyber-attacks are becoming even more sophisticated and clever at disguising themselves in realistic-looking documents and links.
Alongside this, it is reported that only one in 10 cases cyber-crime cases are actually investigated by police; leaving the door wide open for the problem to grow out of hand in the coming years, with crooks knowing they are likely to get away with it if they just try their luck. The power is firmly in the hands of the cyber-criminal.
The advent of GDPR regulation, coming into effect in May, also raises fears. It means enterprises face much larger financial penalties should they suffer a data breach. The recent compromising of 150 million MyFitnessPal accounts is just another example in a long line of such attacks, which are increasingly becoming everyday news.
It’s disconcerting to learn that just half of companies are discussing these issues at the most senior levels. The problem must be taken seriously rather than parked as something that ‘won’t ever happen to us’. Then it must be tackled head on – proactively rather than reactively.
Unless you are thinking proactively and embracing innovation to regularly close down attack vectors, you’ll forever be on the backfoot with potential fixes and patches, watching helplessly as cyber criminals race ahead with new and successful attempts to bypass them.