Cyber Security Crisis
25th January 2016The TalkTalk security scandal has had everyone talking about the threat of cyber-attacks. Experts now warn that something more needs to be done on a national and international scale…
The Internet brings huge business opportunities and benefits, but it also brings risks. In 2014, 60% of small businesses experienced a cyber breach, and the average cost of the worst breaches were £65,000 to £115,000 – a huge blow for any business.
In October last year, the TalkTalk website fell under a ‘significant and sustained cyber-attack’, leaving bank details and personal information to be accessed by hackers. The phone and broadband provider, which has more than four million customers in the UK, still continues to make headlines, and the fallout has had a drastic effect far beyond those directly impacted.
Hybrid workforce solutions provider Gibbs S3 warns of a shortage in cyber-security specialist skills, suggesting this as the problem that must be combated if we are to stifle these security breaches. This shortage is something that will only become more of a problem too. Michael Brown, CEO of Symantec, a global leader in cyber-security, has been quoted as saying that the global demand for cyber-security professionals is set to grow to six million by 2019 with the shortfall expected to be around 1.5 million, and businesses in the South East will not escape the effect.
The dangers are not limited purely to larger companies either. Recent research from KPMG has found that 70% of SMEs can do significantly more to protect sensitive client data. It is a truly worrying statistic, especially considering that the same research found that 94% of enterprise procurement departments considered cyber-security protocols to be a key factor in deciding which suppliers to use. The inability for small firms to provide adequate cyber-security protection is now causing small businesses significant revenue losses, an untenable state of affairs.
Measures introduced by the UK Government, including Cyber Essentials, a new industry supported scheme to help businesses, in particular SMEs, protect themselves against the common cyber threats are highly creditable and should be continued. However, these initiatives are decidedly insufficient when it comes to combating modern Advanced Persistent Threats (APTs), which threaten South East businesses. In 2015 alone, Ashley Madison, TalkTalk, and the IRS have all been victims of sophisticated and damaging hacks. How can we learn from these to prevent them from happening again?
Farida Gibbs, CEO and Founder of Gibbs S3 commented: “The range and severity of threats, coupled with the desperate shortage of skilled staff means that the majority of British companies are fighting an increasingly complex war with clearly insufficient resources. This issue is compounded by the fact that standing still is not an option – firms need to be far more proactive in beefing up their digital defences as the hackers who are looking to get in are constantly evolving and mutating their attacks.”
Punam Tiwari, Senior Legal Counsel and Data Protection Specialist at Gibbs S3 said: “We’ve now seen CEOs of major companies lose their jobs because of cyber-attacks which should be a serious wake-up call about the consequences. Companies should start from the assumption that their systems have been infiltrated by criminals and operate on that basis, yet many businesses are simply failing to act.
Assuming the threat comes from outside the company is a go-to and the best out of a worst case scenario. However, not only are insider security breaches also a huge issue, but this assumption can often be worse than the threat itself. Also in October this year, a firm of accountants in Eastbourne received an email purporting to be from a Senior Manager at the firm, asking for £18,900 to be transferred into a specific bank account. Only after this request was followed through with did staff realise it was a cyber-attack, with both the email address and the account set up solely for the fraud: this has been termed, ‘whaling’ fraud.
Katy Worobec, Director of FFA UK says that businesses need to be alert to this scam and make extra face-to-face checks before making payment: “Fraudsters will do all they can to make these scam emails look genuine, so it’s important for businesses to be alert. While an urgent request from the boss might naturally prompt a swift response, it should in fact be a warning sign of a potential scam. That’s why it’s vital that finance teams carefully check any unusual demands for payment through an alternative method, such as over the phone or face to face, before making the payment.”
Last year, Morrisons was also made acutely aware of the insider cyber-security threat when their staff’s personal details were leaked by a disgruntled former employee, now leading to more than 2,000 of its current staff suing the supermarket.
Jens Puhle, UK Managing Director of Access Rights Management specialist, comments that commercial organisations need to take data protection and security into their own hands: “The recent spate of high-profile data breaches will have many firms looking outwards, but they must not overlook the level of risk posed by insider threats.
“Many large firms have no idea who can access the data on their systems, and few have proper processes in place for rescinding access when employees no longer need it or leave the organisation. By putting in place strict internal processes to keep access to sensitive data at a minimum, firms can greatly reduce the risk of malicious and accidental insider data breaches.”
The team at Gibbs S3 call for more skills training as the answer to this growing and serious issue: “There needs to be a greater commitment to data protection and cyber-security training across the UK with businesses also carefully assessing and planning how they will bring on cyber-security experts at a moments notice – whether that is for a crisis scenario or not,” says Punam.
The Cyber Essentials documents are free to download for any organisation, and advice on protecting against hackers can be found at: www.cyberstreetwise.com