According to IBM’s Chairman, President and CEO “Cybercrime is the greatest threat to every company in the World”. Indeed, many leaders around the World continue to raise the alarm that a ‘Cyber Pandemic’ will be the next real threat to emerge within the Western World. But what is the real risk to your business?
In the first of our series of Security Blogs we examine the real risk posed by Cybercrime, how to assess the potential risks posed to your business and the steps that you can take to maximise the security of your online business.
WHAT IS THE REAL RISK TO MY BUSINESS?
According to Business Insurer Hiscox, an estimated $1.8 Billion was lost by Companies to Cybercrime in 2019. Whilst large Corporations often suffer the brunt of such attacks, it is important to understand that small to medium organisations in fact account for 43% of all cyber-attacks, with 60% of these businesses going out of business within 6 months (US National Cyber Security Alliance).
Often the reputational damage and loss of credibility suffered as a consequence of a Security Breach will far outweigh any direct financial misappropriation. It is therefore imperative that Organisations fully consider all potential consequences of a Security Breach when undertaking a Risk Assessment.
LOSS OF REVENUE
When considering the potential for lost revenue due to Cybercrime, it is important to understand that this is often suffered as a long-term consequence of loss of credibility, rather than due to direct monetary theft. That is to say, you do not have to be trading online or to have money stolen directly from your online systems to incur substantial losses in revenue due to Cybercrime. Suffice to say, when considering how a Security Breach may impact your bottom-line, it is imperative to consider all ways in which this may occur.
LOSS OF SERVICE
If your Organisation provides Online Services that are fundamental to your day-to-day operations or which form an essential element of your business then it is imperative to consider the impact that could be realised through a loss of service. Could a loss of service cause you operational disruption? Prevent your Members from accessing key data? Worse still, could a loss of service drive your Customers to your Competitors?
When considering the potential impact of a Security Breach, the potential for loss of credibility, reputational damage and damage to brand equity should not be underestimated. Indeed, in studying data breaches of 34 listed Companies, security researchers Comparitech found that the share prices of each Company fell by an average of 3.5% following the attacks. In the case of small to medium online businesses, reputation and credibility are of paramount importance and it, therefore, goes without saying that a data breach can be catastrophic to these types of businesses.
STOLEN INTELLECTUAL PROPERTY
When considering your Organisation’s online security, it is important that you also consider the potential for theft of Intellectual Property. Does your organisation for example store intangible assets including designs, documents or technologies within an online system?
ASSESSING THE RISK TO YOUR BUSINESS
It is important to understand that a good Cyber Risk Management strategy will be intrinsically linked to and supportive of an organisation’s key priorities and objectives. Understanding how a breach of security may directly impact on the operational integrity and governance of your business is extremely important.
The UK’s National Cyber Security Centre provides the following 10 steps to protecting an organisation from the threat of Cyber Security:
Organisations should take a risk-adverse approach to securing all of their systems and data. It is therefore imperative that a full Risk Assessment is undertaken for your organisation and that you proactively plan for how such risks can be effectively monitored and managed.
Engagement and Training
Organisations should work collaboratively with their members to implement security measures that work for the people within the organisation. The success of your Risk Management Strategy will in part be determined by the support and engagement of the wider team.
Organisations should maintain an Asset Register which includes their data and systems, as well as the business functions they support. Understanding how to protect your Organisations key assets and managing any associated risk to business functions will be integral to establishing appropriate security governance.
Architecture and Configuration
Systems should be architected, built, configured and maintained in a manner that ensures security is paramount. Whilst it is sometimes assumed that a Development or Hosting Company will naturally take the steps required to protect your organisation’s assets through for example a Secure Development Lifecycle (SSDLC) or proactive Vulnerability Scans, the implementation of advanced security measures will often be excluded from an agencies budget, unless specifically requested.
Systems should be protected throughout their lifetime, with emerging threats being identified and mitigated for in a proactive rather than reactive way. As such, it is imperative that an appropriate level of threat monitoring and management be employed in respect of your online systems.
Identity and Access Management
It is imperative that Organisations implement an appropriate system and data access control measures. That is, Organisations should control access to their systems and data, based on identification and privilege level.
Sensitive data should remain secure both in transit and when in storage (at rest).
Logging and Monitoring
Systems should be architected and configured in a manner that provides audit or logging functions, thereby enabling the detection and investigation of a Security Breach.
Once the potential risks to an organisation have been identified, appropriate responses should be planned. For example, if a fundamental aspect of your system was to go offline, do you have the capacity to roll back, failover or restore your systems?
Supply Chain Security
Organisations should work in collaboration with their Partners and Suppliers to ensure the overall security of their Supply Chain.
IDENTIFYING AND MANAGING THE RISK
Risk Management is an iterative process that should evolve in-line with your business priorities, processes and systems. As such, Organisations should strive to make Risk Management an inherent part of their overall governance, thereby enabling effective control structures and risk mitigation strategies.
Some of the considerations for an Organisation when undertaking to develop a Risk Management strategy may be:
- What are my key business priorities and how could they be impacted by a Security Breach?
- Are there levels of risk that my organisation is prepared to tolerate?
- Does my organisation have adequate security policies and procedures in place?
- Are the organisation’s Security Policies and Risk Management Strategy appropriately owned and approved by the Board?
- In what areas of my business do I need to consider and apply Risk Management?
- Are there external Services upon which my organisation is dependent and what would be the consequence of a loss in this Service?
- Is my Organisation’s chosen Risk Management Strategy the correct approach? For example, does my Organisation require a full Risk Assessment or would a service such as Cyber Essentials provide the controls necessary to provide protection?
- Has my Organisation implemented appropriate controls for managing and mitigating risk?
- Does my Organisation have appropriate arrangements in place to monitor and manage evolving Security Threats?
A great place to start when assessing the real Cyber Security risk to your Organisation is the range of resources now provided by Governments including that of the UK National Cyber Security Centre https://www.gov.uk/government/collections/cyber-security-guidance-for-business.
Alternatively, why not contact one of our team of experts to discuss how i3 Digital can assist you in protecting your online business or to avail of our Free Security Check.
In the next in our series of Security Blogs, we explain in simple terms some of the most common Website Vulnerabilities and the steps that can be taken to mitigate them.
Subscribe and stay up to date with the latest industry insights, receive great tips and how-to's, through our monthly newsletter.