Getting Ahead of the Hacker

Cyber Security has long been a topic of discussion for businesses across Sussex, the country and the world, and it is undeniably a growing threat. Innovators are working on an answer, but in the meantime businesses need to implement proper training for their staff and get ahead of the hacker before it’s too late. 

With the vast majority of companies now using the internet to do business, cyber security is becoming an ever more pressing issue. As security systems become more sophisticated, so do the ways and means of breaching them. There were 5.1 million cyber attacks between 2014-2015 alone (with a further 2.5 million offences under the Computer Misuse Act), with over half of the victims suffering financial loss. Furthermore, internet security technology company, CYREN, found that successful cyber attacks on businesses increased by 144% over the four year period up to 2015.

Of course all businesses are vulnerable but smaller operations tend to bear the brunt as they often do not have the same resources available to them. Research has found that smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion. It’s not for lack of action on the part of the SMEs however; 93% of small firms were found to have taken steps to protect themselves from digital threats. In spite of this, 66% have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total. Also, according to Oliver Kuehne, Head of Cyber Security Practice at Stott and May, cyber criminals are actually hacking into smaller businesses as a way of getting into larger corporations: “Smaller companies are easier to target because they often lack the resources, knowledge and technical capability to protect themselves against the many different forms of attack than can occur.”

There are two main vulnerabilities that are most often exploited by cyber criminals. Firstly, there are those that are categorised as ‘organisational vulnerabilities’, which are weaknesses in the procedures, processes and human behaviour within a business. These can have significant consequences for the security and integrity of the assets of a small business, such as financial details and customer data. Secondly, there are ‘technological vulnerabilities’; weaknesses in the technology itself, which can leave those using the technology, such as small businesses, open to attack.

In today’s world it’s important for businesses to acknowledge that cyber security breaches are now more or less inevitable, so instead of focusing solely on defence, a new approach is needed – cyber resilience, for example. Cyber resilience is a broader approach that encompasses cyber security and business resilience, and aims not only to defend against potential attacks but also to ensure business survival following a successful attack. Broadly speaking, this involves ensuring that your cyber security is as effective as possible without compromising the usability of your systems, and also ensuring that there are robust continuity plans in place that cover information assets so that you can resume normal operations as soon as possible if an attack is successful. Andrew Cooke, Client Director at consultancy firm, Atkins suggests: “It’s essential to create organisational cyber resilience by understanding what is most important to delivering your mission and goals and converting that into a clear and simple set of controls to ensure that your critical physical and information assets are protected.”

Mr. Cooke also suggests that cyber resilience is about leadership. Creating a cyber resilient organisation has to start at the top and work down. “What is it that is important to the organisation and what needs protecting? To determine that you need to start with the top level organisational objectives. There are few businesses now for which cyber is not a key enabler; maybe none. Effective cyber security needs to be an objective on the CEO’s list of top level objectives.” However, research undertaken by PricewaterhouseCoopers for their 2015 Global State of Information Security Survey found that only 25% of directors are actively involved in reviewing security and privacy risks. Oh.

Even for those that do take an active interest, let us not forget that the best-laid plans of mice and men go oft awry. The simple fact is that the human element is most often found to be the weakest link in the cyber security chain. A report from the Information Commissioner’s Office found that 93% of incidents it investigated in the fourth quarter of 2014-15 were caused by human error. This is clearly a statistic that needs to see a dramatic reduction. Oliver Kuehne comments: “In recent years, the need for cyber security talent has skyrocketed. Because there is such high demand for this specialised talent and the threat landscape is growing faster than our ability to secure it, we are faced with a mass cyber skills shortage.”

So while up-to-date security systems and solid continuity plans are clearly important in combatting and recovering from attacks, the role of the workforce is as important as ever. In the past, taking fairly basic steps and precautions has been relatively effective, and while this is still the case, the increased sophistication of cyber attacks now necessitates a higher level of education and awareness among employees around the subject of cyber security.

According to Tech City’s Tech Nation 2015 report, Brighton has ‘the highest concentration of digital companies in any of the UK regions’, providing scope to enhance the region’s cyber security capabilities whilst enabling businesses and citizens to be safe in cyber space. The potential is there, and of course whilst threats grow, so do innovations in protecting against malicious actors, but to really improve the situation businesses need to consider implementing proper training in-house for employees on preventing data breaches upon being hired. Oliver suggests: “It is critical for organisations to focus on improving their existing safeguards which doesn’t have to be cost prohibitive. Companies need to ensure they have a robust monitoring system in place, that employees are adequately trained in protecting data and in what to do if a breach does occur, and that there is a strong identity lifecycle process in place. Monitoring internal security measures is just as important as looking out for external threats.”

The training for employees should include education on different types of exposures and on how employees can protect against security breaches. Employee training should also include instructions on what to do in the event of a suspected or confirmed cyber attack and this goes beyond simple password management or not opening links in emails. It is a company’s duty to have policies in place to educate staff on security, specifically for your business. Hackers are becoming more and more sophisticated by the day, so businesses in turn need to become more sophisticated to combat them. However, this requires skills we simply don’t seem to have yet, as Oliver points out.

Oliver warns: “That the threat landscape will keep evolving is, unfortunately, inevitable. That means businesses need to be all the more diligent when it comes to building a pervasive security culture, in which employees are aware and able to practice smart cyber hygiene and make safer online decisions.”