Every day, every department in every organisation is at risk of a cyberattack. This situation is exacerbated by an unprecedented shortage of cybersecurity professionals. So how can businesses defend themselves in an increasingly diverse threat landscape?
What are the biggest threats organisations are facing when it comes to cybersecurity?
From an IT security perspective, cyberattacks and high profile data breaches are considered to be among of the biggest threats to business. In a recent study carried out by the Business Continuity Institute, cybercrime came out ahead of terrorist attacks, excessive red tape, and skills shortages as a concern. The study found that 85 per cent of respondents were concerned by the prospect of a cyberattack and 80 per cent of respondents expressed fear over the potential loss of sensitive data.
When it comes to methods of cyberattack deployment, organisations need to be particularly on their guard against:
Ransomware is a type of malware that prevents or limits users from accessing their system. This type of malware forces its victims to pay the ransom through certain online payment methods in order to grant access to their systems, or to get their data back.
Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g., pass phrase, credit card, or other account updates). The perpetrators then use this private information to commit identity theft.
Whaling, or business email compromise (BEC), typically involves a cyber scammer using a spoofed domain to pose as a company CEO or CFO. They’ll often request a senior member of the finance team transfer funds out to an external bank account – so the attack relies for a large part on social engineering.
What about insider threats?
Statistics vary but Verizon’s latest Data Breach Report found that human errors are involved in almost 30 per cent of all security incidents. A similar study from CompTIA cited human error as being the root cause of 52 per cent of security breaches.
Spotting security incidents arising from within your own organisation is particularly tricky because the attacker may have legitimate access. If the credentials being inputted are valid, the same alarms are not raised as when an unauthorised user attempts entry from the outside.
Not all incidents involving employees are malicious. More often than not it’s down to an individual being victim of some cyber-trickery such as a phishing attack (latest figures suggest that 13 per cent of the annual cybercrime cost globally for companies is due to phishing and social engineering.).
There is a line to be drawn between allowing employees or contractors access to the information they need to get the job done, and implementing an effective lock-down of sensitive data. Getting the balance right is not easy, as the recent PWC Economic Crime Report sums up: 'Companies continue to make their critical data available to management, employees, vendors, and clients on a multitude of platforms – including high-risk platforms such as mobile devices and the cloud – because the economic and competitive benefits appear so compelling.'
Almost every day we read about another organisation being the victim of a cyberattack. Why can’t we stop it?
Cyberthreats are becoming automated, industrial, and organised. In all walks of life, the criminals will always been one step ahead of the good guys – and cybersecurity is no different. The pace of change within the cybersecurity landscape is so fast that it can feel like an impossible task for IT teams just to keep up – let alone get ahead.
Can’t we just hire more cyber experts?
If only it were that simple. There is a big problem in cybersecurity – one that’s been building for years. And it’s not down to the hackers. It’s the lack of qualified professionals. Demand for cybersecurity professionals is set to outstrip supply by a third before the end of the decade. The problem has intensified as companies have become more aware of their own vulnerabilities – especially in the light of the steady stream of high-profile network breaches that are happening. This means that cybersecurity teams are often understaffed, which makes it even more difficult for them to properly protect their employer’s networks.
How can organisations combat the double whammy of an increasing intensity of cyberattacks, and the lack of staff available to deal with it?
When it comes to defending against these attacks, IT plays a pivotal role. But a company’s defence strategy can’t rely on technology alone. The human element is equally – if not more – important. The best technology in the world won’t protect against the actions of an employee who, through malicious intent or innocent mistake, give a cybercriminal access to your company’s digital crown jewels.
When it comes to cybersecurity, companies often put technology first, and training trails behind in second place. But both should be deployed in equal measure. The best technology in the world won’t protect against the actions of an employee who, whether intentionally or through an innocent mistake – opens the door to attack.
In the same way that an organisation must provide physical protection with a high-viz jacket and hard-hat, organisations have a duty of care to provide cyber protection thereby minimising the chances of being the victim of an attack.
Richard Beck, Head of Cyber Security at QA
Image Credit: Ninescene / Shutterstock