The Department for Digital, Culture, Media & Sport’s (DCMS) last cyber report found that a staggering two in five UK businesses (39 per cent) said that they had identified a cyber security attack in the last 12 months. When I see findings like this, it instantly grabs my attention. My red flag in question here? The word ‘identified’.
We know that ‘identified’ only means they discovered it. To play Devil’s Advocate, what about the cyber threats that organizations have not been able to identify? It’s conceivable – if not for certain – that the actual percentage is much, much higher. For example, it’s very common for cybercriminals to breach a company’s infrastructure and then lurk before launching an attack at the most opportune moment. So, they could quite literally be lying in wait right now and a business has no idea.
The same common shortcomings
Of course, no company wants to be breached and many businesses of all sizes across industries are taking the correct steps to reduce their risk of being breached. However, I have seen first-hand that best intentions and efforts do only go so far.
Time and time again, businesses fall into the same common shortcomings that increase their risk of being attacked. From not outlining who is responsible vs. who is accountable for shoring up security defences, to rushing to digitalize too quickly. Businesses must address these shortcomings to put themselves in the best stead against cyber-criminals and hackers.
When responsibility and accountability are unclear
Particularly if an organization is multidisciplinary – for example, those comprised of departments focused on manufacturing, customer service, distribution and so on – it’s harder to instil accountability for cybersecurity. It is fair to say that everyone in a business must manage their own cyber security and privacy risks. However, the lines of responsibility and accountability aren’t always entirely clear.
In larger corporations, the Board should ultimately be accountable for all risk but that doesn’t necessarily mean they will be doing the actual work to instil this. There should be one person/team responsible – but the Board/ or its equivalent does remain accountable. So, that could be a CISO or CSO who takes responsibility for creating a cybersecurity strategy that holistically manages an organization’s cyber defences, to avoid the risks that a fractured environment can bring which leaves a company open to potential attacks.
Smaller companies can have the same principle, but it may fall on the same shoulders – such as the CEO or founder – to take on both the accountability and responsibility (via managing a team or outsourcing to a third party) for their cyber defences.
A defensible position?
‘People are your first line of defence’ is a well-known cybersecurity adage. But while employee education on cyber risks can go some way in curbing the threats of phishing attacks or downloads from untrusted sources, without reinforcement – and indeed, enforcement – there may be clear cracks in company defences.
It was reported very recently by Harvard Business Review that 67% of the remote-working participants surveyed failed to fully adhere to cybersecurity policies at least once during a 10-day period, citing reasons for these rule breaks as “to better accomplish tasks for my job,” “to get something I needed,” and “to help others get their work done”.
To tackle this, business leaders must start developing security policies which acknowledge the fact that many employee-driven breaches stem from an attempt to balance security and productivity and very rarely from insider/malicious hacking efforts. Leaders must also take steps to involve employees in the process of developing and testing said policies and equip them with the tools they need to follow these as easily as possible.
Cost cutting exercises
The UK – consumers and businesses alike – has it tough at the moment. Just as we were finally seeing the skies clear from the pandemic, we’re now hit with rising inflation, battling against increasing costs of living, and all the while heading into one of what is predicted to be the deepest recessions the country has ever seen. It is therefore no surprise that budget holders within UK organizations are looking at where they can make quick savings. And this includes tech.
When balancing priorities, some IT decision-makers will cut back on defences like end-point security. I’m increasingly – and worryingly – seeing more businesses viewing it as a ‘nice to have’ rather than recognizing the vulnerability introduced by remote/hybrid working and bring-your-own-device (BYOD) policies.
Security is not something to budget. Putting to one side that organizations are expected to adhere to national and sector-specific security and privacy regulation/legislation, the sheer number of cyber-attacks – and the knock-on effect that can have on a business – shows that cyber security efforts are something to invest in the long-term. Or, can reap dire results, including in some instances the entire closure of businesses to recoup the money lost to a breach.
Rushing to digitalize
The pandemic has caused great hardship to many people around the world. However, we have seen a number of silver linings to these once-dark clouds, including a sharp uptake in worldwide digitalization. In fact, it was reported that across many sectors including manufacturing and fintech, the pandemic has acted as a catalyst for digitalization. It spurred many new applications of existing technologies and opened up a whole host of new business opportunities.
However, blending and/or moving from legacy technology to SaaS applications or cloud infrastructure without a meticulous strategy and timeline in place is incredibly risky. As more devices and access points are added to an organization stack, this opens up more potential vulnerabilities.
To ensure that they don’t increase their risk of being attacked, digital transformation project leaders must assess and manage the potential risks at every stage of their digital transformation journey: before, during and continuing to manage it as their digital strategies evolve. Central to this is also understanding and mitigating the risk that third-party vendors could pose to them based on their own security processes.
Making best intentions a reality
Cybercriminals aren’t just hacking for activism or for fun. They’re running their attacks like a business, targeting organisations to extort money – and they’re getting smarter at it. Take the recent LockBit ransom attack on The Royal Mail for example. This makes it all the more important that organizations don’t fall victim to these common (and basic) shortcomings when it comes to cybersecurity efforts.
My main advice? Don’t get complacent, don’t cut corners and shore yourself up against the people lurking in the cyber-shadows. Assess your cyber threat landscape and put in place the policies and technology platforms to minimise the risk they pose for your business.
