Businesses in the Thames Valley and south face constant threats from cyber breaches and attacks that are intensifying with home-based Covid-19 working. The Business Magazine asks what are the risks, how are companies coping, and what are they changing to deal with a more hostile threat environment?
Four in 10 businesses suffered a cyber-security breach in the past year, according to the Department for Digital, Culture, Media and Sport’s latest annual Cyber Security Breaches Survey. Around a quarter of those surveyed who had experienced cyber attacks or breaches said they happened at least once a week.
“The most worrying cyber security threats to our business are personal data loss, ransomware and cyber extortion,” said Graham Thomson, chief information security officer at law firm Irwin Mitchell. His fears are shared by most UK CEOs, for whom cyber-security threats were foremost on their list of concerns, second only to pandemics and health crises, according to PwC’s annual UK CEO survey. Yet, despite the undoubted scale of the problem, an IDG Research survey found that nearly 80% of IT and IT security leaders felt their organisations had inadequate security.
77% of UK CEOs plan to increase their investment in digital transformation
91% of UK CEOs are more concerned than ever about cyber-security threats
Source: PwC Annual UK CEO survey
91% of UK organisations plan to increase their cybersecurity budgets in 2021
78% of UK IT and IT security executives lack confidence in their company’s IT security
Source: IDG Research Services survey
Steven Smith, head of sales at Westcoast Cyber, which was established by technology distributor Westcoast in 2020, said businesses need to ask themselves two questions:
‘How does the attacker get in and what are they after?’
For starters, attack methods are multiplying, particularly since lockdown. Barry Remzi, principal consultant at Bridewell Consulting, said: “Some of the more common cyber threats include not having complete visibility of environments and users – 2020 saw a sudden shift to distributed and remote workforces, which many organisations were not prepared for.”
Dennis Murphy, cyber and threat expert at Gateley Legal, referred to the ‘attack surface’ as being very significant and attractive to malicious cyber actors. “Business leaders now realise the devastating consequences of a successful cyber breach,” he said.
A PwC survey of UK workers found many felt vulnerable to cyber crime since the outbreak of Covid-19, with 17% giving working from home as one of the main reasons. Nearly one third said that they had seen an increase in speculative online criminal activity.
Since lockdown, a higher degree of vulnerability is inevitable. Gary Cheetham, chief information security officer and data protection officer at Content Guru, described working from home as being outside the ‘castle’, without a secure office environment ‘moat and drawbridge’ for protection. “Organisations may be unaware of where weaknesses lie,” he observed.
For Bruce Penson, managing director of Pro Drive IT, loss of reputation caused by data breaches is a growing concern for businesses. “Especially in the professional services sector, where new business often comes via word of mouth and referral,” he said.
Attacks aren’t just from opportunistic individuals, warned Steve Groom, chief executive, Vissensa.
‘Organised and state-sponsored cyber crime is a game-changing threat’
“Regardless of industry type, the reliance of free-flowing supply chains means that an attack on a lower level but critical part of the supply chain may have as big an effect as trying to hit the target company head on. No one is safe,” he said.
39% of UK businesses reported having cyber-security breaches or attacks in the past 12 months
35% of UK businesses now deploy security monitoring tools compared with 40% last year
27% of UK businesses that have experienced cyber breaches or attacks say they happen at least once a week
Source: Department for Digital, Culture Media and Sport Cyber Security Breaches Survey 2021
The response by businesses during the pandemic has been to protect assets located outside their ‘castles’. “There has been a surge in deployment of additional endpoint security technology, multi-factor authentication, and remote connectivity solutions,” said James Cripps, chief operating officer of Enhanced.
Businesses must consider new tools and processes, said Tim Walker, managing director at Aura Technology: “The shift to remote working has seen a major increase in Distributed Denial of Service (DDoS) attacks, with a 272% rise in Europe during the first quarter of 2020, according to reports. Despite many of these attacks being on a small scale, they still can massively disrupt business operations.”
As well as introducing better technology, companies are also changing their cultures. “Businesses have refreshed or created new policy and governance structures relating to device use that reduce the risks of working from home,” pointed out Murphy.
Another way to deal with security weak points is by adopting more robust checks, noted Cheetham. “Organisations are moving to a stringent ‘zero trust’ strategy, which protects users, data, and business assets wherever they are. It is also essential that businesses monitor their supply chain – it must be watertight.”
Leveraging the protective capabilities of virtual private networks (VPN) has proved a popular means of safeguarding against cyber threats. “Many organisations have responded well to the difficulties of 2020, especially in the adoption of VPNs to access corporate networks,” thought Remzi.
However, Roland Emmans, technology sector head for HSBC UK commercial banking, warned: “Employees using a VPN carries more risk than when they are in the office using a closed network. One possible solution to this in the long-term is for businesses to consider investing in dedicated network extensions into their employees’ home, which would further protect the company’s data.”
It is usually CEOs and business owners who ultimately carry the can for cyber breaches. And they are also likely to be the decision-makers on committing investment to fight the problem.
“SMEs may be reluctant to spend on security as they might not believe they could be a target. But we are seeing this attitude changing – smaller businesses could lose everything and never recover. For hackers, it’s probably easier to hit 10 smaller businesses who are less secure than focusing on one larger target,” said Smith.
Collective responsibility fighting cyber crime should make it a team effort, commented Remzi: “If the security strategy doesn’t have users at its core then it is unlikely to succeed as, ultimately, security has to enable users to undertake their role effectively with a frictionless security experience.”
Paul Holland, founder and chief executive at Beyond Encryption, agreed: “I believe there is a job to be done changing hearts and minds to understand the issues, encourage the right behaviours within companies and create environments where firms strive to secure their communications.”
People are usually the weakest links in cyber security, making the level of threat from insiders a tricky issue. Insiders could account for around 95% of cyber threats, according to Graeme McGowan, consultant, cyber and security risk, at ESA Risk. “Often, it’s an innocent mistake due to human error rather than malicious actors,” he said.
‘Often, it’s an innocent mistake due to human error rather than malicious actors’
Whatever the reasons, employees (rather than their bosses) can find themselves blamed for data breaches. “Employees put more data at risk when working from home. ICO/Arlington reports that 73% of employees involved are either disciplined or even sacked, so the implications for workers are profound,” said Holland.
Groom noted that many insider jobs are preceded by ‘dry runs’ to see how much can be found or stolen. “This is where monitoring comes in. Insiders working from outside the firewall and the organisation’s parameters can be blocked much more easily,” he said.
Dealing with threats posed by insiders may be a sensitive issue, but it is one that companies can’t afford to ignore. “It is vital that they consider human behaviours alongside investment in the appropriate technological tools,” said Emmans.
It can be hard deciding where to draw the line between trusting staff and protecting your business assets. “You have to give employees the freedom to access systems based on trust. Privileged access management is good, so long as the right people are gaining access and have been properly authenticated,” said McGowan.
How you protect business assets should begin with an insider risk assessment, advised Thomson. “Consider the critical assets you want to protect and how an insider with legitimate access, the intent and the capability, could abuse their position to cause harm. Then consider what controls would prevent or detect such actions,” he said. “The UK’s Centre for the Protection of National Infrastructure has some freely available guides and frameworks to help address the insider risk.”
Robust information management systems capable of standing up to the rigours of remote working and disgruntled staff are an essential component in cyber strategies. “We suggest businesses certify themselves to the UK Government-backed IASME Governance certification, which will give them the tools and framework to put such a system in place,” said Penson.
Further investment in cyber security is inevitable for all sizes of business. PwC found that 40% of the executives it surveyed planned to accelerate digitalisation, as well as increase their cyber-security budgets. Around half of them also said they intended to add to the number of full-time cyber-security staff.
However, investment alone won’t solve all cyber-security problems. Attitudes must also change for security measures to be as effective as possible. “Sadly, the awareness or complacency that ‘it hasn’t happened to me so far, so it won’t happen’ is still widespread and mitigating security breaches is like any insurance policy: a grudge sale. It will cost time and money but not add anything materially to the business,” commented Groom.
That said, board-level involvement in finding practical solutions appears to be more in evidence, according to Holland. “Email security has gone from being within the sole domain of chief information security officers to a high-level risk issue for boards. Big companies are now treating this problem with the seriousness it deserves.”
McGowan expects to see more businesses acknowledge the importance of education and increased awareness of the threats.
‘We recommend ‘war gaming’ to practise how your company would react to a cyber breach’
40% of global businesses are accelerating digitalisation for growth
39% of global businesses are offering full-time remote work for more workers
Source: PwC Global Digital Trust Insights 2021 survey – Cybersecurity come of age
“Make sure everyone is talking together and that they understand the risks, through training and education,” he said.
Content Guru keeps staff on their toes with regular phishing tests. “New employees are, by far, the most susceptible to falling for scams. On the other hand, employees who are leaving the business are a risk for causing intentional harm to the organisation,” said Cheetham.
The Government is making cyber security one of the priorities in its Build Back Better plan for UK growth. “At the heart of this is a push for businesses to certify the government’s Cyber Essentials standard which, if followed, helps reduce the threat of cyber attack by up to 80%. This should really be the starting point on which organisations build their cyber-security plans,” said Penson.
Another factor behind effective cyber security is to make processes easier for employees, for example, by avoiding password-laden access requirements. Smith suggested one alternative: “Password-less uses biometrics and neuro-science, with shapes, patterns and colours. But there’s a problem of the connotation that password-less doesn’t sound secure when the opposite can be the case.”
Artificial intelligence is also coming to the rescue. “One of the key capabilities of AI-driven technology is its ability to learn normal patterns of behaviour, allowing it to detect unusual activity that could indicate a potential cyber-security threat or network breach. An autonomous response aspect then allows the software to respond automatically to this threat, with limited or even no human interaction,” said Cripps.
The message from companies and technology experts is to get your cyber security sorted and don’t waste time prevaricating.Cyber-Secure: 10 simple things your business should get right, right now.
‘If your business hasn’t got a cybersecurity policy, it’s time to get one’