Welsh technology specialists ITCS are concerned to learn that the UK’s most senior executives do not fully appreciate the damage to business reputation and loss of customers that a cyber-attack can cause, or the damage that identity theft can do to an individual.
One message has been definitely heard – the threat of high fines under the new GDPR rules.
Even though many businesses are not yet prepared for the introduction of the GDPR rules in May, a new study by Centrify, commissioned through Dow Jones Customer Intelligence, revealed that nearly two-thirds (63 per cent) of respondents in the UK are concerned about the costs of investigation, remediation and legal fees in the event of a cyber security breach. 47% of the respondents also said they were worried about the disruption to business operations a breach would cause.
It seems few businesses have given any weight to what is potentially a far bigger cost to UK businesses. Only 16% of senior executives expressed concern that a data breach could result in a loss of customers, and only 11% of them were worried about the damage a data breach could do to the company’s reputation.
The study of 800 senior level executives, including CEOs, Technical Officers and CFOs in the UK and US, also indicates that there is confusion among the C-suite about what constitutes a cybersecurity risk and what needs to be done to prevent it.
In the UK, malware is seen as the biggest threat to an organisation’s success among 44 per cent of respondents, compared to just 24 per cent who point to default/weak or stolen passwords and 29 per cent who blame privileged user identity attacks. However, of those organisations that experienced at least one significant security breach in the past two years, just 11 per cent admit it was due to malware, while almost twice as many put it down to either a privileged user identity attack or the result of stolen or weak passwords (both 21 per cent).
In fact, 63 per cent of the UK organisations that have experienced a major breach admit that privileged identity and access management would have most likely prevented the breach.
The Verizon 2017 Data Breach Investigation Report supports this, indicating that 81 per cent of breaches involve weak, default or stolen passwords. More than half (53 per cent) of respondents at breached organisations say audit trails for system accesses, and a quarter say training or awareness would most likely have stopped a breach.
Despite this research, it seems that business priorities in cybersecurity investment over the next 12 months are not focused in the right areas. Solutions being implemented focus on tackling malware (44 per cent) and phishing (38 per cent), while protection against stolen or weak passwords (33 per cent) and privileged user identity attacks (26 per cent) seem to be less important.
ITCS Compliance Officer & Cyber Security Specialist, Wayne Harris, says:
“Words like ‘cybersecurity’ and “cyber attack” conjure up images of shadowy figures in far-flung lands, and the media has not helped in this regard. It is relatively easy to persuade executives to invest in hi-tech anti-malware and anti-virus solutions, because they can be passed off to the technical team and don’t require any culture change.
“The biggest threats are simple for businesses to manage – but require commitment at every level of the organization, led from the top down.”
Wayne believes that the biggest risks to security come from poorly informed, untrained staff, and is a firm believer that robust policies are needed to derive maximum benefit from any investment in technical solutions.
“The biggest threats to business security are poor password practices and general complacency around security issues. Time and again, when I’m asked to investigate security issues, I find companies who have invested in tech solutions have not invested in teaching staff the basics about cyber security.
It’s important to train and reinforce:
- the importance of good password hygiene
- how to lock their screens when leaving their desk
- to challenge strangers walking around their building
- to report and challenge telephone callers asking for sensitive information
- the dangers of clicking links in an email
Executives would be amazed at the information which can be gained by a simple social engineering exercise. Identity theft remains one of the biggest concerns for both businesses and individuals, the damage it can do is huge and training staff is the most important step businesses can take to prevent it.
ITCS are running a series of free and low-cost IT security courses for welsh business leaders to help them prepare ahead of the new rules in May. However, Wayne says businesses wanting to merely comply with GDPR are missing the point.
“Businesses need to think beyond GDPR fines. Protecting data is not about ticking a box for compliance – it’s about making sure the personal information you hold on your staff and your customers are adequately protected from all threats. The human cost of identity theft, and the potential damage to your business reputation should not be left out of the equation.”