Twenty years ago, the main components of cyber security were an anti-virus package and a good backup system. Both were generally seen as ‘the IT guy’s job’, or, in small organisations, the office administrators.
Fast forward to 2018. The rate and volume of change that the internet has brought about is truly the next level of human evolution. And just as the possibilities created by this online revolution are vast and powerful, so too are the threats.
There is no way cyber security can still be seen as solely an IT issue. It is shocking how many business owners, managers and executive teams have their heads in the sand about this. Cyber threats are proliferating and every Australian business – small, medium or large – is at risk. But so few have an integrated approach or whole of business policy and that is alarming.
Let’s take a look at what’s happening and why you need to take action. Now.
Attacks are common and on the rise
The internet touches every aspect of our lives. Every workplace and every home. Most individuals have a range of internet-enabled devices. We heavily rely on them, and frankly, can’t do much without them. This reality multiplies the threat of a cyber-attack. With ever increasing entry points and methods.
According to findings in the latest Fortinet Threat Landscape Report, ‘almost no firm is immune to the evolving trends of cybercriminals. FortiGuard Labs detected 96% of firms experiencing at least one severe exploit.’
Businesses need an approach that covers all bases, including looking at their whole business framework, policies, standards and training. Employees need to be trained to deal with cyber security and educated about the latest threats.
Types of attacks are becoming more sophisticated
There is an increasing variety in the types of cyber-attacks. They can come via websites, via email or any open communication point. With the increase in remote workplaces, and the culture of BYOD, organisations are increasingly vulnerable.
The forms of attack keep shifting and evolving. From malware to phishing, social engineering to DDoS attacks, threats exist on multiple fronts. And many can go undetected while serious damage is being done.
Statistics released by Accenture indicate that 92 percent of malware is still delivered by email; the average cost of a malware attack on an organisation is $2.4 million; and
191 days is the average length of time it takes for organisations to identify a data breach.
With more data and more devices connected to the network, businesses need to be equipped with the right tools, processes and procedures to mitigate the risk of a potential threat.
So what’s actually at risk?
Technology is involved in nearly every aspect of day-to-day business. It’s not just the IT systems themselves that are at risk. It’s every process touched by them including communications, customer data, banking, purchasing, R&D – the list goes on.
The three primary areas where a cyber-attack may cause grief within an organisation are:
1. Loss of money
This can include making fraudulent payments, being blackmailed by cyber attackers and the massive losses of time and increased labour that can come in the wake of a breach.
The ACSC Threat Report 2017 found ‘losses of over $20 million due to business email compromise.’ This was an increase of more than 230% since 2015-16 and the report also suggests the figure is conservative as organisations tend to underreport incidents.
The World Economic Forum Global Risk Report 2018 estimated that the cost of cyber crime to businesses will be about US$8 trillion over the next five years.
2. Compromise of data and information
This can include identity theft, IP theft or leakage and other information compromise.
The World Economic Forum Global Risks Report 2018 found that ‘in 2016 alone,
357 million new malware variants were released and “banking trojans” designed to steal account login details could be purchased for as little as US$500.3.’
A report released by US organisation Equifax in 2017 found that the PII of around 143 million customers had been accessed via a cyber attack (ACSC Threat Report 2017).
3. Reputation damage
This is, in some ways, less tangible and quantifiable. But as it’s difficult to track and measure it can have both immediate and long term impacts that are equally difficult to reverse.
How do you win back the trust of customers or employees whose privacy has been breached or who have lost money by being associated with your business?
Events such as the WannaCry ransomware attack of 2017 showed how vulnerable businesses, government and society more broadly really are. WannaCry is estimated to have affected more than 300,000 computers across 150 countries.
In the face of that level of attack it is tempting to revert to the head in sand approach – how can a single business compete with an attack like that?
But better to have some strategy in place than none. Better to know what you are dealing with and take every reasonable step to manage risk. The flip side of reputation damage is reputation surety. Businesses who can demonstrate high levels of cyber security and low rates of incidence will become more attractive to customers and business partners.
The risk is real so your response needs to match it
The ACSC Threat Report 2017 rates the risk of cyber compromise for Australian organisations as high.
So how do you ensure that you can detect, protect and prevent vulnerabilities? Stay tuned for part 2 of this blog series where we go into detail about HOW you can continuously assess your cyber security and threat landscape.