A report published in February 2010 found that, of over 2000 businesses polled, 75% had experienced some type of cyber crime in the previous 12 months, including theft of intellectual property, financial information and customers’ personal information.
Today, CIOs recognise the threats from cyber crime and are investing in cybersecurity. However, the cyber threat is increasing in terms of type, severity and frequency. Some governments now have specialist cyber units that conduct industrial espionage to progress the economic aims of their country, and professional hackers openly offer their services for hire to businesses, criminals and dissident groups. Enthusiastic amateurs also present a realistic threat: comprehensive hacking software is widely available and does not necessarily require detailed technical knowledge. Monitoring tools and devices can now be readily bought on the internet, typically for less than £50. As a result, defending an organisation against cyber attack has become much more difficult.
To combat the rise of cyber attacks, an effective cybersecurity strategy must address organisational and cultural aspects as well as information assurance and technical security.
Accept that closing all the gaps is expensive – and in reality, impossible to achieve.
Security measures are essentially an insurance policy, and should be based on a thorough understanding of risk. Conducting a robust cybersecurity risk assessment needs a contemporary and in-depth knowledge of the potential threats to an organisation and the latest trends in hacking. However, connected businesses have many different vulnerabilities that can be exploited. At the same time, the nature and mode of cyber attack is evolving rapidly. Closing all the gaps is impossible and expensive, yet many organisations try to achieve just that. A better approach is to accept that attacks will happen and to take the measures required to minimise their potential effect.
Involve the entire organisation to embrace a cyber-secure culture
The security of a system is only as strong as its weakest point. For example, it would be ineffective to focus all efforts and resource on preventing external threats from penetrating a network while ignoring the fact that a disaffected insider would already have access to the system and has the knowledge to create more damage. Addressing such threats often relies on synthesising information that is already known within the organisation but is rarely brought together.
Each additional security hurdle provides not only protection but an opportunity to identify a threat. Yet such hurdles must not prevent or unnecessarily impede the conduct of normal business. Identifying and controlling access to sensitive information within an organisation is particularly critical to help limit the potential damage from a cyber attack. This goes beyond technical measures and requires an effective security culture and processes within the organisation.
Stay resilient in the face of an attack
Designing a system with resilience in mind should be a key starting point, so that if attacks do happen, business can continue as usual. Further, learning to identify and respond effectively to an attack requires both careful planning and practice. This should become as much a part of routine business as the testing of the fire alarms, especially as for many organisations, a cyber attack is more likely.
To find out more about developing an effective cybersecurity strategy, or to speak to an expert from PA’s cybersecurity team, please contact us now.
Read PA's article in the Financial Times on cybersecurity.