[BreachExchange] Companies need to adopt a culture-shift to ensure cyber-threat awareness

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 29 19:11:36 EDT 2017


https://www.scmagazineuk.com/companies-need-to-adopt-a-
culture-shift-to-ensure-cyber-threat-awareness/article/679321/

Over the last year we have seen a rise in high profile cyber-attacks with
WannaCry and not-petya causing an immense amount of disruption to
companies, government departments and the NHS. When the WannaCry attack hit
the headlines in May it affected 230,000 computers across 150 countries and
had an economic cost of more than £3 billion. The costs of not-Petya is
still being counted although one consumer products company has already
estimated the cost to them as £110 million in lost revenue with many others
across the globe affected.

These attacks are both ransomware, a type of attack where the perpetrator
threatens to publish a victim's data or permanently block access to it and
is now seen as the largest threat to a business. Worryingly the Russian
Ministry of Communications reported that up to 40 percent of stolen funds
are subsequently invested into the improvement and modernisation of malware
technology, phishing techniques and fraudulent on-line schemes.

Companies are therefore taking steps to prevent against these types of
attacks.  However, with the average investment for a company in
cyber-security being 0.5 percent, we may not see this problem go away for a
while yet.

All is not lost however.  Both of the attacks exploited vulnerabilities in
out-of-date operating systems which wouldn't have been vulnerable if
patched. Security patches for supported operating systems is usually free,
so there is little budgetary demand for this which means the finance hurdle
is partly crossed.  There will be a resource demand on the IT team
responsible for patching an entire IT estate, which may be further
complicated by the end user who is keen to get on with the day job and not
have the distraction of worrying about the tech that supports it.  This
means the patching problem is largely about people and process.

To effectively combat these types of attacks we need to look at a cultural
change within the company and shunt Cyber Security higher up the agenda. A
great start could be to adopt the ISO/IEC 27001 Information Security
Management standard which ensures management buy in, has a set of technical
controls that must be followed and ensures people have a level of awareness
of security in the company. For smaller companies, there's the Cyber
Essentials scheme which focuses on the technical vulnerabilities and
provides a check to ensure that controls are in place, one of the areas
being patch management. By adopting this scheme smaller companies are
committing to a Cyber Security programme which again shows management buy
in.

The company employees as always are key; from a recent review conducted it
was found that 90 percent of all malware requires human interaction to
infect its target machine. This means one of the areas we must look at is
user awareness.  Having an effective awareness programme in place so that
employees are sufficiently briefed and know what to look for will not only
help in preventing an attack taking place, but will also aid in changing
the culture of the business to bring cyber-security higher up the agenda.
Awareness can be provided in several different ways, including internal
training by the security department, onsite training by external sources or
there's also some great online courses.

In addition to the steps that we take in preventing a cyber-attack we also
have to recognise that we may one day leave one of the windows open and an
attack may occur. For this we need a cyber-incident response plan which
gives a clear set of instructions along with roles and responsibilities of
what should be done if an incident occurs. We also need to make sure we
rehearse the plan and update it to ensure it remains fit for purpose.

So, in summary, whilst we're going to see more cyber-attacks in the future
there are steps we can take to aid prevention. Firstly, cyber-security
should not just be an IT problem and should be up higher up the company's
agenda. We should look at adopting a standard that ensures that
cyber-security is being constantly considered, monitored and action being
taken to prevent vulnerabilities. We should also be looking at increasing
awareness within the company using onsite or online courses, and lastly, we
have to consider the possibility that an attack may be successful and put a
plan in place to deal with the event.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170829/4817b01f/attachment.html>


More information about the BreachExchange mailing list