Skip to content

Code red

Added to your CPD log

View or edit this activity in your CPD log.

Go to My CPD Only APM members have access to CPD features Become a member Already added to CPD log

View or edit this activity in your CPD log.

Go to My CPD
Login to bookmark this
Added to your Saved Content Go to my Saved Content

What do you need to know about the risk of cyber attack? Craig Leach explains...

In the digital age, critical asset protection is about much more than just building physical barriers – cyber attacks, hostile activism and terrorist threats all now potentially feature on the company radar.

Targets and incidents come in all shapes and sizes. The cyber attack on Sony Pictures in 2014 caused initial cancellation of the release of a major comedy film due to fears of a terrorist threat in response to perceived controversy surrounding the film’s satirical content.

By contrast, the attack earlier this year on the website of Shropshire Fire & Rescue Service by a group concerned about the Palestine/Israeli confl ict, appears to defy any simple explanation, given the target’s non-political status, highly localised activity profi le and lack of any signifi cant digital assets.

While the motivation for attacks might, at times, seem unclear, the underlying trend in proliferation is not and the latest data makes for alarming reading.

The figures tell the tale
The Global State of Information Security Survey, conducted annually by PwC, reports that the total number of security incidents detected by respondents climbed to 42.8 million in 2014, up 48 per cent year-on-year.1 That fi gure equates to an average of 117,339 incoming attacks per day.

Size does matter and large organisations (those with gross annual revenues of £1.5bn or more) detected 44 per cent more incidents compared with the previous year. In geographic terms, the survey also shows cybercrime rising signifi cantly in Europe, with a 41 per cent jump in the number of detected incidents reported.

In the UK, research from the Department for Business, Innovation & Skills (BIS) has also shown that cyber attacks are on the rise, with 87 per cent of small firms having experienced a security breach in 2012 and 93 per cent of large organisations also being targeted.2

A recent study by the Center for Strategic and International Studies estimated that the annual cost of cybercrime to the global economy ranges from £560bn to as much as £858bn.3

Simply placing a rough monetary value on the harm su£ ered by business does not, though, take into account the many associated non-financial impacts faced, such as theft of trade secrets, breaches of intellectual property rights and risks to reputation. Nevertheless, overall the figures tell the tale: risk is on the rise. So, how can businesses prepare for every eventuality?

Pick your battles
The answer is you don’t – it is neither resource-realistic nor cost-effective to try to cover all bases. Gathering, collating and risk-assessing threat intelligence will allow for strategic solutions that can identify the most relevant risks and compliance requirements, in order to prioritise response and spend.

An organisation’s biggest asset is often its biggest risk: people. According to the BIS research, 84 per cent of large businesses reported staff - related cyber breaches, as did 57 per cent of small firms. So, how can embedding a security culture within an organisation help to lock in long-term protection?

Culture and policy
Security culture is embedded in an organisation by strong leadership. Standards set the framework for development and appropriate risk assessments identify priority areas for protection. For consistency and continuity, it is important that security sits alongside all of the existing and planned action and/ or quality management systems.

Security policy is then led by this culture. With company assets identifi ed, protecting them through policy and procedure, training and awareness can be pitched at a level commensurate with the risks and threats. There is no one-size-fi ts-all solution, but mitigation need not be expensive.

Solutions can be physical or virtual – ranging from providing an alarm-receiving centre for an integrated security system across the UK to ensuring that IT systems comply with ISO 27001, data is protected from cyber attack and security clearance processes are in place to vet employees and suppliers.

All scenarios are unique, but a security culture can invariably be broken down into four elements: stakeholders; assets; tasks; and responsibility.

Stakeholders
Identifying the stakeholders who need to be engaged in, and committed to, a security culture is the fi rst step. Buy-in is essential at the very top of the business from the executive and any investors. Critical engagement then follows with other partners, core teams, employees, and so on. All levels need to be engaged, not just informed.

Assets
Essentials such as intellectual property rights and aspects of reputation are often overlooked. Contracts are another area open to neglect – how much attention is paid to these once awards have been made? It is worth remembering investments, too – these will be challenged should you suer security breaches.

Tasks
Rolling out cultural change on a gradual basis is vital – a stepby- step task list is fundamental. The first hurdle to clear is that of appointing the board member and getting a signature on the statement of intent. This shows commitment at the highest level and is key to successfully cascading down the leadership message. Establishing an intelligent structure for integration into your existing policies and practices is also important, with realistic timelines attached within a robust reporting mechanism. Use the audit and compliance procedures to recognise, learn and improve.

Responsibility
You need to establish who the people responsible for the actions are. Answering this question takes us full-circle back to the stakeholders who were identified at the outset.

Making it happen
A thorough assessment and review of your business organisation is critical to achieving a successful adoption of an appropriate security policy.

As a sobering footnote, however, it is worth mentioning that in figures from BIS, 81 per cent of UK respondents reported that senior management had not been able to put in place effective security. Knowing that something needs doing on security is one thing, but actually doing it is quite another; success starts with culture change.

Craig Leach is head of critical asset protection at Rhead Group

1 Managing cyber risks in an interconnected world, Key Findings from the Global State of Information Security Survey 2015, PwC 

2 More small businesses hit by cyber attacks, UK Government, Department for Business, Innovation
& Skills

3 Net Losses: Estimating the Global Cost of Cybercrime: Economic impact of cybercrime II, Center for
Strategic and International Studies

0 comments

Join the conversation!

Log in to post a comment, or create an account if you don't have one already.