The New Year is a time to look forward, and also a time to reflect on the year just gone.
In January 2018, IT Pro Portal published some timely advice:
“Right up to the end of 2017, massive cyber-attacks made immense waves. In the year ahead, organizations must prepare for the unknown, so they have the flexibility to endure unexpected and high impact security events. To take advantage of emerging trends in both technology and cyberspace, businesses need to manage risks in ways beyond those traditionally handled by the information security function, since innovative attacks will most certainly impact both business reputation and shareholder value.
Based on comprehensive assessments of the threat landscape, the Information Security Forum recommends that businesses focus on the following security topics in 2018:
- Crime-As-A-Service (CaaS)
- Expands Tools and Services
- The Internet of Things (IoT) Adds Unmanaged Risks
- Supply Chain Remains the Weakest Link in Risk Management
- Regulation Adds to Complexity of Critical Asset Management
- Unmet Board Expectations Exposed by Major Incidents”
You can read the whole article, including further detail on each of the key topics.
IT Pro Portal also provides a list of some of the biggest data security breaches of 2018 including FIFA, Google+, Facebook, Uber, and British Airways.
Small and medium-size businesses are at risk too, even more so because they often cannot afford the impact of a cyber-attack. Back in 2016, the Denver Post had some advice for smaller organizations that are still relevant – especially as smaller businesses with potentially weaker cybersecurity are an increasing target for bad actors looking to gather data to help them plan and execute major scams.
The risk has grown to the point where UK cybersecurity insurers Hiscox launched an innovative awareness campaign that includes streaming live details of attempted attacks on their own website and at 37 live billboard sites in 8 cities (Find more information about the awareness campaign and video of the live posters here):
“London, UK (18 October 2018) – Small businesses in the UK are the target of an estimated 65,000 attempted cyber-attacks every day, according to new figures1 from specialist global insurer Hiscox.
The estimates are based on tests undertaken by the insurer which monitor, in real-time, the total number of attempted attacks on three ‘honeypot’ computer systems which are typical of those used by small firms across the country.
The total number of attempted attacks ranged from 900 to 359,000 in every 24 periods, averaging 65,000 over the three weeks the servers have been monitored.
In order to raise awareness of this issue, Hiscox is live streaming the number of attempted attacks to its website at www.hiscox.co.uk/cyberlive and also broadcasting the figures live on over 100 billboards across the UK.
According to the insurer, almost one in three (30%2) UK small businesses suffered a cyber breach last year – equivalent to over 4,500 successful attacks per day or one every 19 seconds.
Cybersecurity incidents cost the average small business £25,700 last year in direct costs (e.g. ransoms paid, and hardware replaced) but this is just the beginning. Indirect cost such as damage to reputation, the impact of losing customers and difficulty attracting future customers, remains unmeasured but is expected to significantly exceed this.
James Brady, Head of Cyber, Hiscox UK and Ireland commented: “We know small businesses in the UK are hot targets for cybercriminals and these figures highlight the alarming extent of this. Most small businesses recognize the threat that cybercriminals pose on a global scale, but are less convinced of the risks facing their own operations, considering themselves ‘too small’ to be worthy targets, but this just isn’t the case.
“Hackers are prolific and sophisticated which makes staying on top of cybersecurity a challenge for all organizations. With many small businesses lacking credible cybersecurity strategies to help manage and prevent such attacks, however, the impact when they do occur can be disproportionality severe.
“Outsourcing cyber security management is one option as this can be a more cost-effective way to access instant, scalable resources in the event of an attack. The best cyber insurance policies will provide exactly that – practical support including legal advice, forensics and reputation management to help get a business back up and running as quickly as possible.”
When questioned, only 52% of UK small businesses stated that they have a clear cybersecurity strategy in place to manage the impact of an attack, which Hiscox says can significantly hamper their ability to detect, manage and prevent security breaches, as well as make the overall impact much more severe.
Experts agree that communication during and after a cyber-attack is critical to managing it, yet only 56% can say with confidence that they fully disclose details of a cyber-attack to the relevant internal and external stakeholders. This is particularly concerning given the introduction of GDPR this year, which requires all organizations to report a data breach to the ICO within 72 hours and notify affected customers without undue delay.
Most alarming of all is that the majority (66%) of those that suffered an attack, admit to making no changes to their policies or systems to help prevent further breaches in the future. This is perhaps one of the key reasons why over half (56%) of those who have suffered a breach, are the victim of multiple attacks.
Cyber Security Best Practices: Prevent, Detect and Mitigate
There are a number of basic steps that small businesses can take to help protect against the evolving threat that cybercriminals pose:
- Involve and educate all levels of the organization about cyber threats.
- Have a formal budgeting process and ensure cyber is a part of all decision making.
- Institute cyber training during the on-boarding process and in an on-going manner.
- Include intrusion detection and on-going monitoring on all critical networks.
- Track violations (both successful and thwarted) and generate alerts using both automated monitoring and a manual log.
- Record all incident response efforts and all relevant events.
- Create a plan for all incidents, from detection and containment to notification and assessment, with specific roles and responsibilities defined.
- Review response plans regularly for emerging threats and new best practices.
- Insure against financial risks with a standalone cyber policy or endorsement.”
– Sourced from Hiscox press release October 18, 2018