9 reasons why it must be a priority for you and your business
Cybercrime is often described as the biggest threat to modern business. However, there are still plenty of companies and business leaders who either fail to understand the threat or think it’s the responsibility of the IT manager.
We are publishing a series of articles to help you become better equipped to protect your business and make informed decisions about your company’s approach to cyber security.
As an introduction to cyber security here are 9 reasons why it should be a priority for your business…
If you haven’t yet suffered a data breach you probably will
According to government statistics published last year, around 65 per cent of organisations have been breached or hacked. In other words, data which is considered sensitive, protected or confidential has been used, copied, transmitted, viewed or stolen by an individual or organisation unauthorized to do so. However, unlike other crimes, you may not know that it’s happened until weeks, even months, after the event. The average time it takes for a company to discover it has been breached is 120 days. Indeed, the highly-publicised violation of Yahoo occurred in 2014 but took two years to come to light.
It’s a business issue, not a tech issue
“It’s taking leaders a long time to realise this is actually a business issue and not a technology issue,” says Nigel Jones, director of the Centre for Cybercrime Forensics at Canterbury Christ Church University.
“It should have been at the top of companies’ priority lists for years. The problem is, the people at the very top of organisations typically have a background predating cybercrime. So they’ve got no inbred knowledge about the threats and dangers.
“I simply cannot understand how any business would not have cyber-threat down as a major risk to its welfare unless you’re a farm in the Hebrides.”
Protecting a customer’s data is also about protecting the reputation of your business.
Warren Buffet famously said, “It takes 20 years to build a reputation and five minutes to destroy it.” These days a company’s reputation can be destroyed within a couple of clicks.
In 2016, Semaphore [a supplier of data for the Office for National Statistics] revealed that 86 per cent of customers will not return to a website if their credit card has been breached. Speaking at last month’s IoD Digital Strategy Summit, Barclays MD for Global Intelligence, Royce Curtin said, “I would submit to you that the biggest threat (to your business) is a loss of trust in your ability to deliver those world-class services; the innovation people expect and the ability to do that securely. The threat is global, dynamic and ever-changing.”
What do criminals do with your data
In the first six months of 2017, there were 89,000 cases of identity fraud in the UK, which equates to 500 incidents per day. In many cases, the information would have been acquired from a data breach and was used to apply for credit cards, bank accounts, loans and insurance.
SMEs are a prime target
“For more ambitious criminals, it’s their supply chain link to much larger companies that make SMEs attractive, and therefore in need of enterprise-level defence,” says Prakash Panjwani, chief executive officer at WatchGuard. “The businesses you pass on the high street are now a prized target for cyber criminals. Without knowing it, a retailer could well be hijacked and become an unwitting proxy through which new attacks are routed. The truth is that small businesses represent roughly nine in 10 of all the merchant data breach compromises.”
Vigilance starts in the boardroom
“It’s crucial that CFOs, CEOs and other executives take an active role in understanding the level of risk they’re exposed to and establishing a meaningful and effective strategy,” says Andrew Elder of Riverbed Technology and formerly president of EMEA at Intel Security. “This includes taking stock of the value of the company’s data assets and implementing mitigation strategies appropriately proportioned to the level of risk involved. The financial future of a corporation – or that of its customers – can hinge upon the security of the information stored.”
Over 90% of attacks start with an employee clicking on a link in an email
The most common type of attack will come via an email which looks like it's from a legitimate source and with an attachment made to look like a PDF.
“The best way to mitigate risk is to assume an attack is already occurring by adopting an approach to security that addresses the entire attack continuum – before, during and after,” says Terry Greer-King, VP EMEA at Cyber Security Enterprise. “It’s important to ensure policies are well documented and clearly understood by each employee and every user. In doing so, employees themselves will be educated and motivated to adhere to the organisation’s security processes and be able to accept responsibility on an individual level.
Greer-King adds, “Software patches and upgrades are free or relatively low-cost, take no special technical expertise to install, and are one of the most important basic security steps for businesses of any size.”
A low-key approach to keeping information
We’ve read countless stories about important information stored on a USB stick being left on a bus or a train. According to Matthew Webb, head of technology, cyber and data at Hiscox UK & Ireland, “Studies have shown that if a USB stick has a company logo on it, over 80 per cent of people who find that USB stick will plug it in. If you put a CD with payroll written on the front, the open rate goes up to 100 per cent.”
It’s a growth industry
“Technology is evolving faster than we can generate individuals with the skills and experience we need,” says Simon Kouttis, manager of Stott & May’s cyber recruitment division. “The agile nature of business, along with remote working technology, has left more companies open to the risk of cyber attacks, with fewer qualified professionals to deal with that increase. We’re now experiencing the problems caused by a historic skills shortage in Stem [science, technology, engineering and mathematics] subjects, although this is now rightly back on the educational agenda. There needs to be a creative approach too – the roles you need long-term might not exist yet.”
Cyber security for business
The IoD have created a Cyber Hub as a resource for all things digital security. Whether you need to learn the basics with a glossary of cyber-terminology, step-by-step instructions on improving your online protection, or to simply stay involved in the latest conversations, you can find the help you need here to safeguard your business and employees.
Visit our cyber security for business hub
Get involved in the conversation or use the hashtag
IoD members can find more in-depth information and resources about cyber security in our factsheet