Posted On: 3rd October 2012
In a recent Government report dubbed ‘Measuring the Cost of Cybercrime’, which was instigated by the Ministry of Defence, it was estimated that cybercrime is costing the UK economy around £11.6bn a year – and any company kidding itself it is outside the risk zone is playing Russian roulette with its future.
It is widely estimated that one in ten small businesses in the UK have had a data hack. The cybercrime threat in the UK is so severe that Government Communications Headquarters (GCHQ) has issued a warning to businesses, saying they now face “credible threats to cyber security of an unprecedented scale, diversity and complexity”.
“The extent of what is going on is astonishing, with industrial-scale processes involving thousands of people lying behind both state-sponsored cyber espionage and organised cybe crime,” MI5 head Jonathan Evans told a conference in London recently.
Evans singled out one particular corporate which had suffered at the hands of a foreign state. The attack cost the corporate £800 million ($1.2 billion) in revenue. “They will not be the only corporate victims,” Evans said.
No company, big or small, should assume that they will not be a target for phishing, hacks and data breaches. Small to medium size companies are particularly vulnerable as they represent ‘low hanging fruit’ for cybercriminals as they often do not have security high on the agenda, either because they haven’t got an IT security expert on board, don’t believe it will happen to them – or both.
A recent threat awareness survey by internet security company Symantec highlights the growing threat we are dealing with. Its research shows that since the beginning of 2010, 40% of all targeted attacks have been directed at small and medium-sized businesses, compared to only 28% directed at large companies.
Inadequate security policies and lack of data security knowledge are no excuse to not having a data security strategy in place. Neither is this exclusive domain of the IT department. Senior management must understand the growing threat of cyberattacks, establish what such an incident would cost to their business and make sure they are best protected against it.
Senior management must ask themselves – “are they safe in the knowledge that the company’s key data is firmly locked down”? What would a full-scale data breach do to their reputation in the market place, their brand and their ability to do business with others. They need liaise regularly with their IT department and understand where the threats are coming from, what the motives are and what security strategy is in place and how regularly it is updated.
This call to arms needs to filter down through the company so that staff within the company are au fait with it and suitably trained to observe the company’s security practices and report anything they perceive as being out of place. Attacks can come from the inside as well as out!
On top of this companies need to instigate mobile working security policy and ensure all devices contain security protection. There is also an increasing trend for employees to bring their own devices to work, including smartphones and tablets, which needs to be carefully covered off under this heading.
At the same time it should single out who in the company can access removable media, which should always be thoroughly checked for malicious software before being loaded into a system.
Finally don’t forget to adopt a lifecycle approach to security measures, the components of risk are changing as fast as technology is developing.
If you take anything away from this – remember cybersecurity is as much a boardroom issue as an IT issue. Ignore at your peril.