The perception of cyber security being an IT issue is as myopic as it is commercially disastrous; because it involves people, the complexity of an insider threat ranks as the highest risk of data loss. Indeed, personal IT may be more valuable to attack than Corporate IT resources.
Sensitive data may be susceptible to breaches that can cause untold damage to brand & reputation, with exposure of client information, interests, IP, trade secrets and serious if not catastrophic business interruption & ultimately severe economic fracture.
Throw into the mix the exponential threat of encrypting ransomware, having robust cybersecurity has never been as critical. Once the cyber criminals have stolen the files and encrypted them, no security software is able restore or return them. In such a scenario you would find yourself either paying the ransom (currently the default position of the FBI) with no guarantee of regaining the files, or simply cutting your losses, which in the case of valuable data is a tough call to make.
While anti-malware and anti-ransomware programmes are not the definitive panacea; what needs to evolve is better social education in order to stay ahead of the game. As laborious as it is, regular system backups should become standard as well as cloud storage with a high level encryption being an option.
In the latter years companies are beginning to address the issues that cyber security raises and are taking logical steps toward protecting their systems. The key protocols being to prevent and defend; protecting data whilst mitigating risk is key to managing organisation’s privacy and ensuring the security of confidential client information. By employing prudent measures & fostering the right relationships, organisations can increase their security and minimise risk exposure organically.
Increasing Awareness
Sadly & somewhat unsurprisingly the insider threat arises from employees & partners who’ve become compromised.
Whilst most incidents are not maliciously motivated, they nevertheless arise from people’s fallibility and misinformation. A somewhat alarming statistic is that 60% of people finding a USB stick will put it into their PC.
Targeted attacks are a different ball game completely with criminals leading industrialised attack methods, hoodwinking traditional information security. A game changer indeed, with industries in the position of having to raise their game, significantly. The number one cause of supply chain failure is IT/telecom outage, with cyber-attack at number 4.
RISK Assessment
By undertaking this 6-step risk assessment companies will receive a review of their existing capability with a roadmap that will ensure continued safe operation.
1. Understanding Objectives
Focus on business objectives to appreciate aims and to form the “To-Be” future state Cyber Security strategy
2. Business Impact Assessment
Determine the potential business impact in the event of a compromise
3. Threat Assessment
Assessment of the Cyber Security threat & identify sources that seek to compromise the firm’s sensitive assets
4. Vulnerability Assessment
Identify document security vulnerabilities in existing technology, people & protocols; create “As-ls” current position
5. Risk Evaluation
Evaluation of remaining risk factors & the risk rating for each. Output is a prioritised Cyber Risk Register
6. Strategy & Roadmap
Roadmap of tactical & strategic measures to ensure ongoing defence of systems and assets
Executive Views
• Sept (2014) The UK gov announced suppliers bidding for public contracts would have to meet new cyber security standards
• May (2015) Aon Risk Solutions highlighted cyber risk had moved into the top 10 global threats for business for the first time
• Rory Moloney, Chief Executive, and Aon Global Risk Consulting, said: While new risks such as cyber have moved to the centre stage, established risks such as damage to reputation or brand are taking on new dimensions and complexities. The interconnected nature of these risks reinforces the importance…..”
• According to a 2015 global Private Equity survey conducted by EY, entitled ‘Positioning to Win’, a top risk highlighted by CFOs is cyber security
• Andrew Coulcher, Director of Customer Solutions, CIPS said: “This is one of the biggest issues of our time as procurement professionals we need the right tools and support to meet these challenges head on.”
• Costs of cyber security breach are estimated by CIPS as anywhere between £600k to 1.15m for large businesses or 65k to 115k for small businesses.
• The Ponemon Institute estimated that a breach in the financial services sector would cost $217 per record. For example, for Target’s 110 million records breached, the costs would be substantial enough to put a fund out of business.
Cyber Essentials
• UK Government ‘Cyber Essentials’ is a set of controls offering Public and Private Sector organisations a sound foundation of basic cyber hygiene measures.
• Firms such as AIG are offering incentives to businesses to become certified.
• Larger organisations, such as HP, are also beginning to demand accreditation.
• The five key controls are: boundary firewalls and internet gateways; secure configuration; user access control; malware protection; and patch management.
• There are two levels of assurance available to satisfy the requirement; ‘Cyber Essentials’ and ‘Cyber Essentials Plus’.
• Cyber Essentials provides a cost-effective foundation of basic measures that can defend against the increasing threat of cyber-attack.
• “Cyber Essentials is a single, government and industry endorsed cyber security certification. It is accessible for businesses of all sizes and sectors to adopt
• The UK standards are based on the ISO/ESEC 27000 series, providing a basis for checking the IT security of elements in the global supply chain.
What Happens Next?
The battle against cyber threats is not a finite one, with a one solution fits all approach, nor is it a problem that can be easily circumvented, but rather a multifarious entity that organizations must continuously adapt and evolve to. Even more alarming is the advent of zero-day threats where malware agents exploit unknown vulnerabilities; this is arguably the next generation of security threat. With the NCA calling for greater measures to enact behavioural change, cyber security has become the critical corporate agenda issue from both a technical pain- point & a board level responsibility.
However, with cyber criminals employing yet more sophisticated strategies to displace and rupture systems, organizations must adopt a robust appraisal of the current exposure level, seek an expert roadmap to counteract key risks and an on-going system which allows for the amorphous and unpredictable nature of the threat.
Cyber Webinar: How Safe Are You?
City based procurement specialists Turnstone Services are gearing up to present the latest in an exclusive webinar series in association with cyber risk specialists Aprose Risk addressing the core issues around cyber security within the supply chain, to include;
• Expert insight into the five most common cyber threats today
• Three examples of supply chain cyber breaches that could happen to you
• Key lessons learned from the Target supply chain breach
• Best practices you can implement to managing the cyber risk from your partners
• The overlooked aspects of security that are critical to avoid a breach
• Suggested strategic actions and quick wins to improve your security posture
Hosted by industry experts;
-Mark Satterthwaite is a specialist consultant at Turnstone with procurement expertise spanning 20 years in both public & private sectors.
-Andy is Chief Information Security Officer at Aprose Risk, a specialist Cyber Risk and Resilience Consultancy. He advises senior stakeholders at public and private sector organisations on effective strategies to reduce the risk and impact of cyber-related incidents. He is Fellow of the British Computer Society.
Cyber Security: How Safe Are You? Tuesday September 6th at 8.30am
Register here today: : https://attendee.gotowebinar.com/register/5519830222986658818