09 September 2015
Cyber security: Staying ahead of the hackers
We live and work in a digital age that brings huge opportunities - and commensurate risks. Cyber attacks are ever more audacious and while loss of customer data is embarrassing enough it may not be the most severe outcome.
Loss of reputation or competitive advantage and an irate set of shareholders can hole a business below the waterline. However, it is possible to fight back. Cyber security is becoming more astute. Cyber resilience - the ability to respond and recover - is growing more adept at educating employees to be the first line of defence. Boards, who for many years pigeonholed this as an IT issue, are seeing the value of an integrated, cyber security policy across the entire organisation.
So where does the UK stand?
To begin with 90% of British businesses expect the number of cyber attacks against them to increase, and they’d be right.
Around 90% of large organisations and 75% of small organisations have experienced a security breach.
(Source: PWC Security Breaches Survey 2015)
Attacks can be roughly divided into four types:
- nuisance hacking, eg defacing the company’s website
- hacking for financial gain which may go beyond stealing customers’ credit card information to securing a confidential earnings report
- the advanced persistent threat, often about stealing intellectual property (the type most often associated with state-sponsored espionage, such as last year’s attack on Sony Pictures laid at the door of North Korea)
- hacktivism - an attempt by an activist group to alter the public’s view of your brand by obtaining and disclosing sensitive information.
While C-Suite executives may appreciate the value security has to their business, they may have a weaker grasp of the information assets to which it must apply - where they reside, the fines for losing them, whether any is held by suppliers and the standard of those suppliers’ own security.
Most hacks can be prevented. 70% of hacks exploit known vulnerabilities for which preventative software already exists. Some date back to 1999…
(Source: Verizon Enterprise Data Breach Investigation, 2015)
Attacks can be internal from disgruntled or departing staff but more often it’s uninformed employees that unintentionally give outside hackers ingress through weak passwords, social media ‘ambush’ or phishing scams. Fortunately training has greatly improved, even from a few years ago. Find out how AXELOS, part of Capita, are helping staff stay cyber secure via their Resilia training portfolio.
Antiquated systems and equipment are also problematic, said to be why in June the US Government’s Office of Personnel Management lost the details of 4 million federal employees - more than 1 per cent of the country’s entire population - to Chinese hackers.
The mobile threat
And few experts would disagree that the mobile phone is the next crucial theatre of operations for cyber security. To date users have seemed alarmingly nonchalant about the data safety (or otherwise) of their phones but organisations are recognising that having business critical intelligence on the same device as games and social media apps may not be such a good idea. One survey showed that the average mobile phone app has at least a dozen vulnerabilities...
Meanwhile a generation of younger employees has grown up to see mobiles as an ever open door in a sharing culture - the very opposite of good security. A further demonstration that education and mobile are set to be the leading rally cries of cyber security over coming years.
By 2018 around 80% of all proprietary data stored in the cloud will be encrypted. (It’s about 20% now).
(Source: The International Data Corporation)
The devices - or people - at the end of the security chain. Laptops, phones, POS terminals, often seen as the weakest link.
Zero day vulnerabilities
A fault in the software, unknown to the vendor, that can be exploited in an attack. So named because once recognised the developer has ‘zero days’ to fix it.
Hackers who seek vulnerabilities for fun, with the lofty purpose of helping organisations eradicate them. A grey morality not always appreciated. Blackhats are the baddies.