Cyber security challenges are recognised as one of the greatest threats to businesses around the world. The World Economic Forum’s 2016 Global Risks Report estimated a cost of around $445 billion worldwide from cyber-crimes. Richard Horne, cyber security partner at PwC, spoke to Global Britain about the issue. ‘Many organisations just don’t realise how vulnerable they are and this is a risk in itself,’ he says. ‘They remain in the mind-set of thinking that they won’t be attacked, but realistically we’re now in a when not if situation. As a result, these businesses haven’t got the right crisis planning, readiness and response in place for when the inevitable does happen.’
Cyber security challenges are numerous and incidents are inevitable. Since ‘cyberspace’ is unregulated, taking measures to manage and govern your company’s system security is the key to maintained data protection and keeping ahead of cyber security challenges.
A weak cyber security infrastructure can have a detrimental effect on the long-term reputation of businesses. Cyber security challenges include events or actions that can compromise the security of data, information or software, which can include the acquisition of personal data, financial data and intellectual property. Those who attack are largely individuals working remotely, or criminal organizations looking to steal information for financial or exposure purposes.
‘The mobile-first, cloud-first world holds enormous potential for organisations and individuals to generate new and exciting growth opportunities,’ said Cindy Rose, the UK CEO at Microsoft. ‘However, there is a corresponding risk that as people increase their technology usage they also increase their exposure to cyber security threats. It is critical for all organisations to strengthen their core security hygiene as well as creating a pervasive security culture through education and awareness.’
In confronting cyber security challenges, it is important to understand ‘exposure’. Companies should implement strategies that work to educate not only its executives, but its subcommittees to learn about who could attack, why they would attack and how they might do it. Training company employees to identify security threats would be a particularly worthwhile investment.
Cyber security challenges include threats such as malicious software, better known as malware, that attacks systems by injecting viruses, worms, spyware and Trojans—to name a few—to damage the core security of an organization’s cyber property so that information can then be easily stolen. Some active threats that could impact businesses and organizations include ’drive-bys’; an opportunist attack against specific system weakness and ‘pharming’; the redirection of website traffic to fake websites that extract and compromise confidential data.
Another technique to consider is ‘phishing’; a process that sees cyber attackers masquerading as legitimate entities to extract confidential personal and financial information from unsuspecting victims, largely through email scams. Companies that have been a target of such attacks include Apple and HMRC. HMRC have a system in place that urges victims to report the phishing scam so that their security teams can identify and deal with the threat.
When the Information Commissioners Office (ICO) implements GDPR in May 2018, it will require businesses to report data breaches within 72 hours to help overcome cyber security challenges. They should particularly do so where client personal data is concerned and when there is a risk that such a theft would cause the owner of the information harm. Not doing so could incur major fines.
Beyond identifying the security breach, companies should act to manage and respond to cyber security challenges. ‘There are three strands of response planning that need to be put in place, often with conflicting demands,’ Horne advises:
- ‘Business management—from restoring service, to managing customers and reputation
- Technical management—typically understanding precisely the scale of the breach, ensuring the attackers have been successfully removed, and examining for further signs of breach
- Legal and regulatory management—executing a legal strategy to manage not only regulatory risk, but also potential litigation risk.’
According to Horne, there is ‘no substitute for having a specific cyber breach plan in place, and thinking through as many potential issues as possible in advance of the “heat of the battle.” It is also critical to conduct cyber specific exercises to test the effectiveness and thoroughness of the plan.’
Businesses must seek independent reviews and assessments of their system’s security effectiveness in tackling cyber security challenges. One way to do this is by hiring Red Teams that simulate a real cyber-attack against your system’s infrastructure. By adopting the attacker’s mind set, Red Teams challenge the integrity of the system and try and gain access to the system by any means necessary in order to retrieve highly confidential information. The results of this exercise can then be measured and businesses can work to implement more secure methods to prevent real-life cyber-attacks.
A recent Global CEO Survey by PwC revealed that 76 percent of Britain’s CEO’s consider cyber security to be the second most significant business threat, behind the availability of key skills which means that British businesses are recognising the importance of tightening security infrastructure. The problem lies with the majority who ‘struggle to move beyond building “standard” cyber security control frameworks in the hope they are sufficient, to genuinely managing risks,’ says Horne. ‘The most successful leaders will be those who define a comprehensive board approach to governing cyber security.’
PwC outlined a set of principles in response to engagement with boards across various sectors to help organisations improve their response to cyber threats:
- Have a real understanding of exposure;
- Have appropriate capability and resource dedicated to cyber security (at board level as well as through the organisation);
- Adopt a holistic framework and approach, including meaningful measurement;
- Submit to independent review and test;
- Have sufficient incident preparedness and a track record of identifying, responding to, and learning from, incidents;
- Have a considered approach to legal and regulatory environments for cyber security;
- Make an active community contribution, sharing information with others in the industry.’
In a Governing Cyber Security Risk report, PwC say, ‘No organisation can protect itself in isolation. Attackers commonly breach one organisation in order to target another, and replicate successful attack techniques rapidly.’ The company stresses the importance of businesses developing and building relationships with national law enforcement and intelligence agencies.
Our government prides itself on being a global leader in cyber security and considers the UK one of the safest places to do business worldwide. In November 2016, Chancellor Philip Hammond announced the new National Cyber Security Strategy, a plan that the government will invest £1.9 billion into over the next three years. The strategy outlines the UK’s plans to use automated defences to safeguard citizens and businesses against cyber threats in the hope that it can deter cyber-attacks from criminals and ‘hostile actors’.
Over the coming year, we will be running regular in-depth articles on cyber security challenges in conjunction with some of the world’s experts to help keep you informed of dangers and provide solutions.
Further reading: CAN WE SAY GOODBYE TO THE ICO?