Cyber Security is Now Business Critical (£)
Whatever their sector or size cybersecurity is now critical for any organisation.
Most companies only learn the hard way about cyber-attacks – as they get hit and often the senior board only hear about some of these attacks as in the electronic consciousness of the IT department they are boringly too often to report and need more focus on the recovery and refocus.
As HR, data, marketing, finances and customer relationships are all inextricably linked to technology, you must take steps to protect all your online assets but also to continuously understand the changing electronic security issues.
The areas at risk have grown but some of the areas you should ask about are; employee data security, insurance numbers, salary data, banking information, company business card data, customer lists, trade secrets, email access, software licenses, 3rd Party Content/Agreements.
Nearly all businesses suffer cyber-attacks, with around 82% of large businesses suffered a security breach in 2015 and 59% with Cyber hacks at small businesses of under £10m turnover. The costs to larger operation of over £10m is now between £500 and £1.4m with the costs to under £10m businesses at between £50k and £130K.
There are believed to be around 119K Cyber hacks daily, with the average cost of a data breach for larger organisations of over £20m turnover to be around £1.4m.
However, all the recent research shows that although senior management is seriously concerned about the attack levels and is trying to take measures to reduce the attack levels but research shows that most firms have only a very basic security protection process in place.
Now the actual number of hacking attacks is beginning to reduce however, that is because the hackers are becoming more focused and specific in the way in which they can now hack and use malware et al. And so you do need to continuously protect your private and commercial information on an ongoing audit process that measure and also predicts the new attacks and takes measure to reduce the attack levels.
This is an on-going process as for instance the hacks on basic data cover many areas from strategy to employee records, sales plans, customer data, financial accounts and legal copyright. One question you should continue to ask is if I were wishing to use the company’s data for gain what would I steal?
Important Areas of Cyber Security
Here are some areas that need to be considered and require security planning:
1. Your managed computer systems should only be accessed by authorised employees.
2. If you have sensitive information to pass on, use technologies such as Box.com, which has services to send and receive documents in a secure and authenticated manner.
3. Internal mail should be monitored and reviewed using strategies and plans that employees follow that can detect hacker’s attachments.
4. Good frequent discussion, presentation and communication with your employees about how to protect and use information within the organisation and the information coming from outside.
5. Training in IT security and commercial analysis should now become a training requirement for your organisation and should be continued in all areas of the business. This should include personal and group training for the Board, Senior and middle management.
6. The majority of hacking attacks happen because of employee’s and management mistakes. Often it is human interaction which is the real issue causing security breaches.
7. Social engineering is the industry’s term which is used when a Hacker uses relationship knowledge to gain access to information that would be otherwise be secret or private and certainly publically unavailable.
8. Old systems, out of date PC’s and Mac’s which are still used within a changing environment require security and monitoring up-dates.
Cyber security these days requires planning and an engaging strategy that your employees are aware of when aspects affect their areas and themselves. There are a lot of quite simple measures that improve your commercial security and these should be frequently checked and up-dated.
Sending phishing emails to commercial employees is common method used by cyber hacking criminals use to get inside your system. Over one hundred million phishing emails are sent daily and around 7/8% are opened which gives the criminal access to private data. Again education of management and staff is really important and is the best method of prevention.
Unfortunately, around 60% of management do not understand Cyber security risks and how it affects the business and their areas that they are employed to manage and around half do not think Cyber is their problem.
Nearly half or all organisations do not have an adequate cyber security budget and they do not have the right employee training and knowledge and they do not clearly interconnect with other parts of the organisation’s personnel and structure to help monitor their own use of cyber and the best methods of use and protection.
There is often a rift between Directors, IT’s believe and planning and the perception by security personnel working to protect company assets.
Seventy percent of Directors say they have responsibility with managing and monitoring risk. However, reviews and audits assessments often reveal that they do not have the basic understanding required to comprehend Cyber data and the requirements necessary after an attack and current risk assessment has taken place.
As a Board member you should honestly review your understanding and comprehension of the issues surrounding Cyber security and the data analysis opportunities offered to the business. Ensure you continually up-grade your understanding and engagement with these IT systems as it will certainly help your organisation, it will also improve your questions to clients and employees, and it will improve your career understanding and prospects.
However, there is a IT gap that you need to be aware and check and that is the lack of talent and experienced cyber security IT specialists that are available. You need to be aware that given the current threats that an increase in security IT personnel will probably be necessary.