The issues surround cyber security are varied and can have a dramatically detrimental impact on businesses. Despite being complex in nature, ensuring that businesses understand the risks associated with cyber attacks is essential to long term growth. Business Today spoke to Vincent Geake, cyber and technology expert at Deloitte UK to find out what exactly needs to be understood.
Do you think businesses are aware of the risks associated with bad IT and cyber-security awareness?
I think that most companies are aware that there is such a thing as cyber risk and that it can cause a lot of damage. However, what I think that they don’t always get is what the potential impact could be in their context of their business.
The main thing that has really changed over the past few years is the nature of cyber-security attacks. People used to attack you to steal specific pieces of information, so it was fairly low volumes of data and they did it in a really stealthy way, as they didn't want businesses to know the data had gone.
The two things that have happened over the past years is that attackers have progressed from stealing small pieces of information like that, to hoovering up large quantities of personal data, hence all the things we read about tens of millions of data sets getting stolen - they’ll take lots of personal information from specific financial data, to more complicated identity data.
The other change we are seeing which has got more unpleasant, is malicious attacks where they come at you, not for the benefit of the attacker, but with the intent to harm and put the target business at a disadvantage. For example, denying a customer access to a website, or an attacker may get in, encrypt all the data on a server and then send a ransom demand to unlock that data again.
We've also seen attackers go in and maliciously delete a mass of data, or change the data for their own benefit. For instance, where someone attacks a payment system - they could change the details of the payee and thus pay themselves millions of dollars.
Hackers don’t always just attack a financial system, but could also attack industrial control systems. They could change settings in an industrial control systems to cause huge damage to manufacturing assets.
So over the past few years, we've seen a fundamental change in the nature of the cyber-attack. It’s no longer about what used to be called “cyber espionage”, but is about much more unpleasant and much higher business impact attacks.
What should businesses do to minimise the chances of cyber security attacks happening?
The first thing businesses need to do, is to work out what their risks actually are. They need to go through their business systematically with up-to-date threat knowledge, to work out what the potential business impacts of a cyber attack could be. What might an attacker do to the information? Could that information got stolen, deleted or changed? What would happen to me or my customers if that happened? What would then be the impact on my business? You've got to understand what could happen as a result of one of these attacks.
The second thing is then what do you do with this understanding? Some of the events that could happen are just so bad that, even if it’s an unlikely thing to happen, you still need to reduce the risk by lessening the potential impact, as well as the probability of it happening.
In some cases you can spend money on more complicated security to try and reduce the likelihood of it happening. What we know now is that it’s a case of “not if, but when”. It is no longer possible to guarantee that you can stop a cyber-attack, so therefore if something could happen that has really serious impact on your business, you need to modify perhaps the way you do business or the way you use IT, in order to reduce the impact.
Does there need to be further investment in these measures?
The answer is not to simply spend more money on security. What you've got to do is work out what the real risks are first, and focus your spend around those. Slapping security over everything is just not going to work and it’ll cost money. So do the analysis, work out what could really hurt you as a business, and then prioritise your resources around those. What you may find is that you have some areas where you actually have too much security and it can be simplified.
The argument is that it’s not good to simply throw money on security, but it’s about making sure you do it in the most effective way.
What should businesses be doing to make sure staff are more aware of cyber issues
We tend to talk in terms of changing ‘security push’ to ‘business pull’. Many companies now have an information security team that is buried in the IT department and they are pushing out into the business, trying to make people aware and behave. What you have to do is get the people managing the business to understand what cyber risk means to them as a business, and start saying ‘how can you help us?’
There needs to be an employee culture change. If everybody knows that their senior bosses think cyber risk is important in everyday work and in making business decisions, then employees will recognise that they need to be aware of security. Everybody in a company these days needs to have an understanding of the type of attacks that a business can be threatened by, and that they can get involved with at a very high level. Many attacks these days involve insiders, not maliciously, but employees can make basic mistakes which assist attacks.
Everybody needs to understand more about cyber security – from the boss down.