Information security is an issue that has been hitting the headlines in recent weeks, with a series of high-profile attacks. Not only did it show that major firms are susceptible to cyber-crime, it also illustrated the reputational and financial costs of a major breach. Specialist management consultancy Baringa explains how can businesses can stay ahead of the game.
This is not an issue that will go away any time soon; a UK Government survey this year found 90 per cent of large businesses across all sectors had experienced a cyber-attack. The World Economic Forum has also identified large-scale cyber-attacks as one of the biggest emerging risks over the next ten years. So businesses, both big and small, are naturally questioning what security support they need and what emerging trends they should be aware of.
Increasing use of data
One major shift has been that customers are increasingly demanding a seamless user experience from the businesses and products they use. They want to be able to access their personal data from a variety of channels and have interoperability between different devices and manufacturers. Whilst common standards are developing to allow this, it means that, when combined with an increase in outsourcing, an organisation’s data can often be spread across multiple third parties.
This should make businesses think carefully; there are increased opportunities to compromise data through attacking the security of any one of these connected companies. As a result, one of the most critical aspects of cyber resilience is maintaining effective oversight of supply chains and ensuring any third parties that hold data have rigorous security standards.
Ultimately, the security of customer data must be seen as critical and should not be sacrificed for the sake of usability. Unfortunately business must enter the Digital market or they won’t survive. As such, in the real world, security does get sacrificed in the drive to meet customer expectations. This doesn’t always have to be the case.
The most ingenious technological improvements are those that make customers’ lives easier and at the same time improve the privacy and security of their data. One example is through the use of mobile phones for two factor authentication; another is leveraging fingerprint scanners for authentication. By looking at new developments as opportunities for security innovation, we can avoid creating this dichotomy whereby a decision must be made between security and usability.
Another emerging trend is that non-financial industries are becoming increasingly popular targets for cyber-attacks. Last year, the proportion of attacks launched on the financial sector fell from 12% to 7%. This is in stark contrast to the retail sector, which saw a rise from 5% to 13%. One possible reason for this shift is that the banking sector has worked hard to tighten its security controls, taking inspiration from the approaches used for military cyber-defence.
The FCA and the PRA have been working with banking firms to help them adopt cyber resilience action plans and run CBEST vulnerability audits. The evidence shows that banks are longer as vulnerable to the casual hacker; this shows that through concerted and determined effort, vulnerabilities can be reduced, and resilience to breaches can be improved.
Hackers have recognised that the value of the data to the individual (e.g. the use of ransomware to lock away data from the individual), or the value of an organisation’s reputation (e.g. threats to release customer data), can sometimes be greater than the value of the compromised data sold directly on the black market. The next step may be to sell shares in an organisation, release details of a breach and then profit from buying them back at a cheaper price.
Building a secure business
Cyber security is not only a technology issue, but it’s a people issue as well. Efforts need to be made to establish a ‘security culture’, which is developed through procedural and behavioural training. This needs to be treated as an important compliance issue, and as such be driven by the Board and senior leaders. These executives are often in the spotlight after a data breach and so need to take an interest in stressing the importance of stringent security systems, policies and behaviours.
Firms should not only think about security when there is a suspected breach but should instead ensure it plays a part in all decision making. If businesses are considering mergers or collaborating with other companies, they should conduct due diligence to assess if the resulting data can be securely integrated. It is critical that businesses plan ahead to combat the ‘worst case scenario’; the Department for Business, Innovation & Skills has been encouraging firms to look into the possibility of cyber liability insurance to cover major breaches.
Recent headlines and trends around data security have been alarming; it is an issue that will affect increasing numbers of businesses over the coming years. However, the solutions are not out of reach; any firm can identify their security risks and develop cost effective ways to protect themselves from a breach. By investing in people and policies, and remaining open to innovation, companies can make sure that they’re hitting the headlines for the right reasons.