By ‘any Australian business’ Mak points especially to those that are data-rich or dependent on data as part of their core activities. He points to real estate businesses, professional services firms, hospital and healthcare providers, utilities and essential services.
To put cyber risk where it belongs, front of mind, Mak says companies need four things:
- An awareness of the specific assets at risk
- A strong risk culture, with risk management second nature throughout the organisation, rather than merely a compliance function
- Appropriate skills and control systems to manage the risk
- A response plan to activate in case of an attack.
Protecting your business against cyber risk is not only about software or expense
Human error is responsible for 95% of all security incidents according to Verizon’s Data Breach Investigations Reports, 2013-2015. And the first defence against human error is company culture. “Vigilance to prevent malicious activities must be second nature throughout the organisation,” says Mak, “not simply a compliance requirement.”
It is easier to trick someone into disclosing a password, bank information or to give access to their computer than it is to hack into a system. Exploiting our natural willingness to trust, be helpful and be curious is called ‘social engineering’.
Strengthening your company’s vulnerability to social engineering attacks is about knowing who and what to trust. It is about taking time, verifying the source of enquiries or requests for help, donations or payments. It is about identifying the most common forms of social engineering (emails that contain downloads or links, requests for help, answers to questions you haven’t asked, etc) and educating the team to research the facts, delete suspicious communications and to regularly change passwords.
It is not about making security protocols so complex and difficult to navigate that people look for work-arounds to make their job easier to do, but threaten to compromise security.
How can you build a strong risk culture in your organisation?
- Educate people on the reality of cyber risk
- Be clear about what data or information must be protected
- Keep the team up to date on common social engineering attacks
- Have protocols on what kind of websites maybe unsafe, downloading attachments from unknown sources and linking to sites that you cannot control
- Scrutinise your supply chain and ask the businesses you work with to comply with your safety plan.
Cyber risk insurance has become the fastest-growing protection category according to global broking giant Aon in the The Australian Financial Review. However, only 25% of survey respondents said their organisations held cyber risk insurance. 32% didn’t know whether or not they did.
Remember, the likelihood of a security breach depends not only on how your company prepares today, but whether you continue to evolve your networks to keep pace with an ever evolving threat.
WHAT DO CYBER CRIMINALS DO?
If we translate the cyber jargon, into old-world language, the threat that a breach of your digital security can cause becomes a bit clearer.
Extortion: When a cyber criminal gets hold of sensitive information and threatens to release it, unless money is paid or some action is taken. Think Ashley Madison, or InvestBank in the United Arab Emirates. In both cases hackers released customer data causing enormous reputation damage.
Sabotage: A hack may be designed to disrupt and destroy computer network or the data on it. This may be a subtle change that creates malfunctions.
Theft: Basic credit card details sell for prices ranging from $5 in the US to $25–30 in Europe, (McAfee, 2015). The more data associated with the credit card number, the higher the price. Theft can extend to knowledge, trade secrets, proprietary processes. If it’s online, or in your system and it has value, it can be targeted.
Hijacks: Computer systems can be hijacked to allow the attacker to take complete control over an affected computer remotely. This can be done to steal credentials from the machine, or to use its processing power to send spam. These are zombie botnets.
Fraud: When credit and financial information or whole identities are stolen online and used in a criminal manner. Non-delivery of goods sold at online auction is also fraud.