Protecting yours (and your customers’) critical, sensitive data is a key challenge these days. But, sometimes, no matter how tight your protocols are, a breach can come from the least expected places.
How well are you positioned to handle ransomware, or a data leak? “As the world goes digital, humans have moved ahead of machines as the top target for cyber criminals,” says Cyber Security Expert Steve Morgan. He explains that by 2020 4 billion people will be online – twice the number that are online now. “The hackers smell blood now, not silicon,” Morgan adds.
Global consultancy, McKinsey says that cyber security is one of the biggest priorities for businesses and governments: “As practically all of life migrates its way to data centres and the cloud.”
Harvard Business Review (HBR) says that determining the ROI for any cyber security investment can ‘best be described as an enigma shrouded in mystery’.
What you really need to know is that digital threats are real and the landscape for cyber terrorism changes constantly. Sure, it’s difficult to call the odds of any given attack on your company – or how big the potential losses might be in the event of a breach – but can you afford not to have cyber-risk strategies in place?
While IT experts will simply tell you to invest in the latest and greatest software out there to protect yourself, ensuring successful cyber security also comes down to fostering the right mindset in your organisation.
Do employees actually understand the risks associated with a cyber breach? Do they understand the potential losses?
What will a data breach cost you in terms of cash?
Depending on the size of your organisation, and the hackers that are targeting you, there are numerous variables at play here. You could be in for millions in cold hard cash, or you could lose all your customer data (and how do you put a price on this?).
Companies learn the hard way
Banks remain high risk/reward propositions for cyber criminals. “Banks tend to have a great deal of investment in cyber-protection, but the information they contain is easily converted into cash. Some of the information literally is cash, which can be grabbed from compromised bank accounts and drained into the coffers of off-shore tax havens and un-friendly nations,” experts at SentinelOne say.
Imagine how minor pieces of information like addresses, phone numbers, emails and bank statements can be sold into the hands of digital con artists. “The largest cyber-attack in recorded history happened on October 21, 2016,” says Nilesh Christopher at Times of India. “The hack caused a temporary shutdown of websites such as Twitter, Netflix, Airbnb, Reddit and SoundCloud.” The servers of Dyn, the company that controls the lion’s share of the internet’s domain name servers (DNS) were attacked. The hack (which Anonymous and New World claim to be behind) caused mass Internet outages for large parts of the USA and Europe.
DID YOU KNOW?
The global cost of cybercrime will reach $2 trillion by 2019. This is a three-fold increase from the 2015 estimate of $500 billion. According to ‘The Global Risks Report 2016’ by the World Economic Forum, a significant portion of cybercrime goes undetected.
This is particularly true in the case of industrial espionage and the heist of proprietary secrets, because illicit access to sensitive or confidential documents and data is hard to detect.
The Identity Theft Resource Centre’s (ITRC) ‘Data Breach Report’ shows that more than 29 million records have already been exposed in 858 publicised breaches across sectors – including financial, government, healthcare and education.
The hackers are out there, but what about internal breach?
“80% of the cyber security issues that have occurred in the commercial world are because of internal processes and people,” says Sam Palmisano, chairman of the Centre for Global Enterprise and retired chairman and CEO of IBM.
He adds that it’s not always resentful workers who got retrenched and therefore they gave someone their access codes. “It’s also people who didn’t protect their access codes or they tape it to their computer. Or they leave it in the top drawer of their desk, and the cleaning people can go get the stuff. You would get rid of half of your problems as an enterprise if you just train your folks and put controls in place,” he adds.
Where do you begin the journey toward cyber-safety?
“If the focus of cyber-security programs continues to be on designing better technologies to combat the growing menace of cyber-attacks, we’ll continue to neglect the most important aspect of security — the person in the middle,” says Vice President at ideas42 and co-author of Deep Thought: A Cyber Security Story, Alex Blau. “By turning the lens of behavioural science onto cyber-security challenges, you can identify new ways to approach old problems.
Former IBM head honcho, Palmisano adds that in autonomous vehicle and drone industries, where people could actually be seriously injured or die, you’d want a secure, clean path for information to travel. “You don’t want this on the open Internet,” he says.
So, what do you do then? Go offline? No. “We used to do this 40 years ago,” Palmisano expounds.
“ATMs never got hacked. Money didn’t start spitting out on the curb and stuff – because we used a secure connection. We used a proprietary network. We know how to do it technically. But now we’ve moved into an open innovative system which is terrific because it drives innovation at a much more rapid pace, but in certain areas where you’re dealing with, let’s say, major societal issues, we ought to go back to some of the classical approaches to how you design systems.
Get your people on board
If you’re struggling when it comes to getting your workers to be more vigilant around dodgy emails and attachments that may contain ransomware or lock-out software, these tips from CNET will help:
Don’t opt for scare tactics. The goal is to build a culture of cyber awareness, so treat security awareness like a marketing campaign with the intent to persuade.
Start small with a few videos or infographics to kick things off. Include posters, contests and other reminders to drive home an easy-to-understand message: Security is everyone’s personal responsibility.
Don’t waste time sending out long memos that will only get ignored. Keep it fun, keep it short. You’re trying to educate employees about best practices, not forcing them to eat their spinach. When everyone can have a good laugh, they can also learn at the same time.
Promote the theme with quarterly follow-up campaigns that stress cyber security awareness. Follow up the training by testing how well the lesson was learned. Send out occasional phony phishing emails to check how many employees still fail to recognise the threat.
If you’re a digital business, or in the midst of digitalising your analogue systems and processes, you need to pay particular attention to employees and their attitudes toward cyber security. Digital experts say that companies are going to become more and more vulnerable to breaches in the future, and if you are offering BYOD type incentives in the workplace, it’s best your employees understand how plugging their laptop into the network can open up vulnerabilities they never knew existed.