[BreachExchange] What will it take for the C-suite to care about cyber-threats?

[Audrey McNeil]

https://www.scmagazineuk.com/what-will-it-take-for-the-c-
suite-to-care-about-cyber-threats/article/765568/

While cyber-attacks are on the rise, the C-suite remains seemingly unshaken
- it's time to get proactive in tackling cyber-crime at board level.

Many CEOs, CTOs and CIOs may sit around their boardroom tables, confident
in the assumption that they have the best technological solution to secure
their data while also keeping services running and server lights on. But
one area of cyber-security that is often neglected by companies is the
financial impact outside of infrastructure spending or the resulting losses
in profit.

It's no surprise to find that [London newspaper] City AM has highlighted
this glaring omission, pointing out only a third of British businesses have
a financial plan in place in case of a cyber-attack. Research from Lloyds
Bank reveals only half of companies contemplate the risks of a cyber-attack
at board level; a worrying sign that the simple dots are not being joined.

Preparation for a potentially devastating cyber-threat is not purely about
signing off budget lines for physical hardware and software protections;
further lines must be added for the financial consequences such as paying a
ransom while keeping the business going.

On the former, the survey suggests one third of companies would pay such a
demand to unlock their systems. But aren't you just opening the door to
even more attacks in doing so? Even if you were willing to stump up the
money, how much would you be prepared to pay and has this amount been
insured for? Only a quarter of those surveyed by Lloyds Bank had policies
covering such scenarios.

Though the problem remains that these ‘cyber-insurance' policies simply
don't cover everything – how could they when the threat landscape changes
daily and it is an immature market for insurers? And when hackers have
locked your systems and threatened to delete data if you don't hand over
money, the decision on whether to pay or not can be a tough call; risking
huge reputational and day-to-day damage, even putting lives at risk in some
cases.

You only have to look at last year's NHS cyber-attack and the recent attack
on the city of Atlanta's servers to imagine the fallout and destruction
that could ensue. Of course, the best form of defence is a proactive
defence, especially when cyber-attacks are getting far smarter at
outwitting the checks and balances many currently have in place.

The biggest source of infiltration by criminal malware is email, and all it
takes is one member of staff to click on a seemingly innocent attachment in
an email that appears to have been sent from a known email contact. In
fact, 74 percent of all successful malware and ransomware attacks find
their way on to IT systems and to sensitive data through email attachments.
Being that email is the lifeblood of organisations, it can't simply be
switched off to safeguard the business from attacks.

This does not mean your current security technology is entirely useless,
but it does mean you must continually analyse its ability to protect you
and ensure every border is protected. We're still witnessing companies
applying a one-size-fits-all approach to cyber security, as if it's simply
another tick-in-the-box exercise. This is a grave mistake. Every border
needs innovative technology in place to keep threats at bay because the
traditional anti-virus methods cannot keep up with the dynamic threat
landscape that we see today.

But how often would a company run education sessions for employees to
ensure they know what they should click and what they shouldn't? The old
adage of ‘if it looks too good to be true, it probably is' still has value,
but cyber-attacks are becoming even more sophisticated and clever at
disguising themselves in realistic-looking documents and links.

Alongside this, it is reported that only one in 10 cyber-crime cases are
actually investigated by police; leaving the door wide open for the problem
to grow out of hand in the coming years, with crooks knowing they are
likely to get away with it if they just try their luck. The power is firmly
in the hands of the cyber-criminal.

The advent of GDPR regulation, coming into effect in May, also raises
fears. It means enterprises face much larger financial penalties should
they suffer a data breach. The recent compromising of 150 million
MyFitnessPal accounts is just another example in a long line of such
attacks, which are increasingly becoming everyday news.

It's disconcerting to learn that just half of companies are discussing
these issues at the most senior levels. The problem must be taken seriously
rather than parked as something that ‘won't ever happen to us'. Then it
must be tackled head on – proactively rather than reactively.

Unless you are thinking proactively and embracing innovation to regularly
close down attack vectors, you'll forever be on the backfoot with potential
fixes and patches, watching helplessly as cyber-criminals race ahead with
new and successful attempts to bypass them.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180604/f6952f76/attachment.html>