In a mobile-first, cloud-first world, where there’s so much powerful technology available to businesses to help prevent and counter cybersecurity threats, the fact still remains that hackers are becoming increasingly intelligent and the risk to organisations is at an all-time high.
Cybersecurity can be a particularly intimidating and costly issue for businesses. Indeed, the Verizon 2015 Data Breach Investigators report found that, in 60 per cent of cases, attackers were able to compromise an organisation within minutes. This highlights just how little time IT departments have to identify and combat an attack once it is in progress, especially given that it can take months for companies to realise their data has been breached. Nevertheless, cybersecurity threats can still be undermined by organisations, with some companies choosing to take the risk rather than invest in security, or simply not educating themselves about the potential loss involved.
The 'who' and 'why' of cyberthreats
While the lone teenager pitting their wits against corporate networks may be the stereotypical image, the ‘who’ behind cyberthreats is actually far more multifaceted, complex, and continually evolving.
From an external perspective, one huge threat to organisations is that of industrial espionage – with other companies looking to gain competitive advantage and save money in development costs as a result of stolen intelligence. Then there are other external risks: from organised crime networks with teams operating on large scales to opportunists looking to prey on the mistakes of organisations and individuals. Recent realisations have also brought to light additional threats, including state-sponsored espionage, terrorists, and even the media.
Yet it’s not simply malicious outsiders that are the issue. Knowingly or not, employees within organisations can also behave in a way that jeopardises the security of their company’s data.
Employees who don’t understand the threat of cybersecurity or the value of the information they handle are prime targets for criminals – and such issues can be exacerbated by inadequate information policies and a lack of training. Then there are the malicious insiders, including individuals specifically looking to infiltrate their company’s data and even disgruntled employees.
Finally, a growing number of high profile organisations are falling victim to targeted supply chain attacks – with cybercriminals becoming wise to the fact that suppliers can’t always field the level of cyber resources of those that they serve.
The real cost of an attack
The cost of an attack can be significant and far reaching, with the potential to impact individuals, businesses and the UK economy.
Media representations of breaches tend to focus on the effects to individuals, yet cyber breaches also have a severe impact on the victim organisation’s bottom line. Direct costs can include damage control, system repairs and the regulatory fines associated with data loss. However, there are also indirect costs to consider, such as loss of intellectual property and stakeholder confidence, both of which can blight organisations and decrease share value.
According to a joint study undertaken by the Centre of Economics and Business Research and Veracode, cyberattacks cost British businesses £34 billion a year in terms of lost revenue and resultant increases in IT spend. The Worldwide Economic Forum has highlighted that total global costs are difficult to calculate because a great deal of breaches go undetected. High profile data attacks perpetrated by visible groups present a clear smoking gun, but industrial espionage can be difficult to identify and stop.
To combat such costs, the UK government has greatly increased its cybercrime budget. However, the message remains clear: organisations must take care of their own cybersecurity, through appropriate use of technology and by promoting higher levels of employee awareness.
Knowing what your business is up against
The first step in the prevention of cybercrime is knowing exactly what threats an organisation is up against and how they can be mitigated internally.
A necessary step is to encourage education that reduces the risk of employees using weak passwords, being tricked by phishing scams or downloading software from unknown vendors. It’s also about knowing what policies and background checks ought to be put in place to ensure data usage is managed. While all of this can feel basic, the reality is that breaches happen when the basics are not being executed correctly.
Beyond this, organisation’s need to ensure that individuals trained in an on-premise world are equipped to combat cybersecurity risks in the cloud, and also that IT security is consistently considered an issue for the boardroom.
Essentially, it all comes down to education and prevention. Both companies and employees must be fully aware of the potential threats and the necessary prevention methods in order to be best equipped to protect themselves.
Stuart Aston, National Security Officer, Microsoft UK