CYBER RISK – IS IT JUST AN IT ISSUE?
Most people probably think of the IT Department when cybersecurity is mentioned. Following all the publicity that surrounded the global cyber incidents of 2017, the massive data breaches of 2018, and the continuing cyber attacks since then, you’d be forgiven for thinking that cyber risk is purely an IT problem. It is undeniable that companies are increasingly dependent on digital technology, which exposes them to more cyber risks and threats than ever before.
However, while our networks, devices and software need to be secure at all times, it’s not just the technology that we have to consider. Cybersecurity is a complex business risk, not just an IT problem. It involves the entire company. To properly assess the risk, a company should consider its technology risk, human risk and governance risk.
It is not surprising that the traditional approach to information security has focused on seeking technology solutions to risk. The IT budget of most companies is a meaningful component of total expenses and IT professionals, whether internal or external resources, will advise on how the budget is spent. But where is the best area for this spending for small businesses?
Cyber Essentials, the UK Government-backed scheme, designed to help all companies protect themselves from commonplace internet-based threats, set out 5 technology areas that companies need to focus on. These are:
- having a secure system configuration
- strong passwords
- controlling user access
- ensuring software patching and
- running anti-malware defences
This is the starting point for companies that wish to protect themselves and move towards becoming cyber resilient. A further UK Government initiative is the “10 Steps to Cyber Security”, which considers technology risk in more detail and adds the human risk dimension.
As we all know, technology never stands still. Due to the increase in popularity of mobile devices, tablets and the huge growth in Internet of Things (IoT) enabled devices, an increasing number of entry points exist to your network that cannot easily be secured using a traditional network perimeter firewall.
Cyber hackers are using more sophisticated tools, such as artificial intelligence, and some now have much more sophisticated agendas. Espionage, disinformation, market manipulation and disruption of infrastructure are a reality now, alongside the list of commonplace cyber threats, such as data theft and extortion. There will clearly be an ongoing need for IT solutions to counter the increasing risks.
In recent years, there has been a growing awareness of the cyber risk arising from human behaviour. The “10 Steps to Cyber Security” includes the human aspect of cybersecurity by referring to User Education and Awareness Training, the need for an Information Management Regime and for Incident Management planning. In fact, some estimates now attribute up to 80% of all cyber risk to the human aspect.
According to CybSafe, a specialist provider of human training and awareness software, the traditional definition of the human aspect of cybersecurity is as follows:
“To some – maybe even most – the human aspect of cybersecurity refers to the risks posed to an organisation when people, affiliated with that organisation, interact with technology. Most of the time, the people in question will be employees – but they could also be suppliers or any other third party with legitimate access to an organisation’s network.
The definition conjures up images of malicious actors, but the human aspect of cybersecurity, of course, refers to both malicious actors and the well-meaning people who could unintentionally cause issues.”
When malicious actors target the human aspect of cybersecurity, it is often referred to as “social engineering”. Essentially, it amounts to getting well-meaning people to do things that they should not do, and would not ordinarily do, by using human psychology against them.
A $100 million scam
A good example of human risk is the case of Evaldas Rimasauskas. Rimasauskas reportedly stole more than $100 million from companies including Google and Facebook. According to reports, he stole the money, not through malicious software or by conspiring with insiders, but through an elaborate scam that eventually convinced well-meaning people into sending the funds his way.
CybSafe address the human aspect through video-based training and awareness software modules that are designed to change people’s cyber awareness and behaviour and also the culture of the organisation. This training is intended for everybody, from the Board of Directors down. Changes in awareness, behaviour and culture are measured over time to give an accurate picture of progress made.
Through an approach like this, people can
become the first line of defence for the company against the hackers: an asset
and not a weakness or a threat. These people can prevent more attacks than they
cause by ignoring phishing emails, locking their computer screens before
leaving their desks, using multi-factor authentication, avoiding websites with
security warnings and updating software to patch vulnerabilities, to mention
just a few actions that reduce risk.
The final aspect of cyber risk that we consider in this article is governance. Having good cyber governance is not as daunting as it sounds. Governance is all about the way in which the company is run. This starts at the top with good levels of engagement from the Board of Directors who should set the tone for the entire company. Following simple guidelines, processes and procedures can go a long way to ensure that a business implements good governance. Companies should ensure that they have clear processes and procedures in place that all staff can refer to and that these are continually updated, in line with any new threats or risks that appear.
Ensuring that all your staff are educated and aware of the cyber risks and threats they could experience is a big part of your defences. It is essential to have robust policies, procedures and guidelines in place that are understood by everyone. Successful and complete protection of a business requires the entire organisation to think about what these threats mean for the business as a whole, its employees and its customers.
Long gone are the days when we could pass the cybersecurity problems to the IT department. This is a complex business risk and It requires an approach that integrates cyber resilience into all aspects of the business. In fact, a shift of mindset is required throughout the organisation to question when, and not if, the business will suffer a cyberattack.
Peace of mind from Cyber risk
Small businesses are big business for Cybercriminals. You may be managing a small business, struggling to make sense of this complex environment and concerned that you may not be doing enough to prepare your business and your people for a Cyber incident.
If so, the online education course offered by Surviving Cyber can help you prepare your pathway to peace of mind. If you like the sound of the course, Surviving Cyber – the small business owner’s Pathway to Peace of Mind, you can register here.
The course is currently being piloted with the first cohort of students. If seats on the course are not available when you enquire, please join the Surviving Cyber email list to receive ongoing communication from me, including details of future courses. I look forward to engaging with you.