As I write this article I am acutely aware of the fact that – in the current climate – businesses face considerable and unprecedented challenges. Measures designed to stem the coronavirus pandemic have stymied incomes; working practices are in a seemingly constant state of flux and established processes are no longer effective; consumer confidence is at an all-time low. Adapting to the ‘new normal’ will involve the creation of innovative strategies. Substantial resolve, too, will be vital. Such measures, though, will amount to little more than wasted effort if businesses continue to remain indifferent to the threat posed by cyber crime.
The digital world’s nefarious actors represent a considerable and ever-growing threat to businesses. In spite of this, an alarmingly large number of senior leaders fail to give cyber crime the consideration it deserves. In my experience, this is, firstly, because they think their organisation will not be targeted and, secondly, because they are unaware of just how damaging cyber attacks can be.
Regarding the first assertion, I can assure readers that the claim that all organisations will be targeted by a cyber criminal is, though often dismissed as hyperbole, undeniably accurate.
According to insurance firm Hiscox, a small business in the UK is successfully hacked every 19 seconds. Furthermore, 65,000 attempts to hack UK-based small-to-medium enterprises (SMEs) are undertaken each day. This equates to 24 million attempts per annum – 1.5 million of which are successful. To put that in context, consider that 4.2 million organisations were registered with Companies House in March 2019. If the number of successful breaches were distributed evenly across all organisations, 35% of companies throughout the UK would suffer a breach every year.
Consequences of breaches are consistently severe. The passing of General Data Protection Regulation (GDPR) legislation in 2018 provided watchdogs with the ability to impose large financial penalties on organisations that fail to adequately protect data relating to consumers. The loss of key digital systems, known as downtime, is common following successful cyber attacks, too; research has shown that just a single minute of downtime typically costs an organisation several thousand pounds.
Finally, cyber breaches can have subtle but long-lasting effects. Infections can sit on networks for months, making infrastructure slower and less effective. This, in turn, has an almost siphon-like effect on productivity. The decline is so gradual that it is imperceptible at first, but its impact on output and profitability always becomes evident with time.
I could elaborate further on why your business will be targeted by cyber criminals. I could also list further examples of the ways they can damage your organisation. I would hope, however, that those referenced above – combined with the knowledge that I could provide many more – will be sufficient enough to convince you to act. Before you do, though, I need to share another vital fact with you. One that should have a profound influence on the way you choose to secure your organisation: 80% of successful cyber attacks are attributable to human error.
The importance of cyber security education
All too often, decisions makers looking to counter the threat of cyber crime place excessive focus on technology. Firewalls, anti-virus software, big data, AI, analytical tools, etc. should all contribute to an organisation’s cyber security measures. No matter how advanced tech may be, however, it can be circumvented with ease when employees are oblivious to the frequency of digital crime and how their actions can grant access to the organisation’s infrastructure.
People typically view cyber criminals as exceptionally intelligent and technically proficient individuals. In reality, they are far more likely to manipulate people than they are technology. Mimicry and trickery are their usual weapons of choice. Emails claiming to be from a service provider, client, etc. and requesting the user take a certain action (usually clicking on a link that will lead to a virus being installed or disclosing a piece of information) are commonly used. So, too, are communications or even physical visits wherein an employee is duped into taking a certain action or providing the perpetrator with access to buildings, sensitive information or both.
Addressing these problems, though, is as simple as raising awareness and implementing some straightforward policies. Inform employees of these techniques and ask them to forward suspicious communications to your organisation’s systems administrator.
Additionally, insist that links in emails are not to be used and that concerned employees can, instead, visit a provider’s website directly. Ensuring that employees know they are not to disclose any company information or allow visitors that have not been pre-approved on-site will also greatly enhance security, also.
Remember, these simple changes can protect your organisation from 80% of all successful cyber attacks. Further changes will need to be made and technology implemented to deflect more sophisticated attacks, but employee awareness is the bedrock upon which all robust cyber security strategies are built.
About the Author:
Rob Dance is the CEO of technology consultancy firm ROCK. Founded in 2009, the company offers their clients digital transformation, IT support, cyber security solutions and training, and more.