Hacked off: could your business be heading for a cyber fall?
Denial and complacency are your real enemies.
28 November, 2017
"42% feel adequately prepared for a cyber attack - up from 25% in 2016"
KPMG's Global CEO Survey
Cyber security breaches are now an everyday occurrence. It’s not just high-profile attacks – such as Wannacry, which took down several hospitals, or the Equifax breach. Around half of all businesses’ systems have faced an attempted attack in the past year.
The good news? More CEOs than ever claim to be fully prepared, according to KPMG’s 2017 CEO Outlook Report. What worries us, though, is complacency in the face of this “normal” level of attacks, as the cyber threat has slipped down the list of risks respondents are most concerned about.
“The problem is that the nature of those attacks is always changing,” says KPMG Enterprise North Partner, Stuart Burdass. “We now come across cyber attacks via air conditioning units or fridges – the Internet of Things has really made things much harder to lock down.”
“And these can be business-ending events,” he adds. “You might assume that other things are more pressing, more immediate – such as Brexit. But I fear it’s a mistake not to put cyber security high up your to-do list.”
And it needs to stay there, too. Protecting your data and systems from cyber attacks is a never-ending job as the motivations, tools and techniques of the hackers constantly shift. But don’t despair: any business – even without the massive IT capabilities of the corporates – can take simple steps to minimise the risk.
A good cyber security programme comes from the top down. In the government’s own survey of cyber-readiness, organisations where senior management treat cyber security as a high priority are more likely than average to say that their core staff take it seriously (88%, versus 76% overall).
But that leadership must be well informed. We found that 59% of CEOs think they are fully prepared for a cyber event (up from 19% in 2016). Yet, on average, it takes about six months for businesses to realise their systems have been breached. Even in big corporates, with dedicated resources for security, attacks can go unnoticed. So as a mid-market business, you need a realistic game-plan.
“The first question is whether you have a defined cyber risk strategy,” says Burdass. “Basically, you need a clearer view of your company’s vulnerabilities than a hacker – which is not often the case. To catch a criminal, you have to think like one. That’s why getting the right advice is important.”
But you don’t need a degree course in network security to improve matters. Start by identifying the ‘crown jewels’ associated with cyber risk – including data, intellectual property and access to online services. A scoring model can provide some context for comparing and ranking the risk of your assets.
"Protecting your data and systems from cyber attacks is a never-ending job as the motivations, tools and techniques of the hackers constantly shift."
Stuart Burdass, Head of Enterprise - North, KPMG.
Then remember that it’s better to prevent fires than to have to put them out. Enter software asset management (SAM) – good discipline around the purchase, deployment, maintenance, upgrading and disposal of software on your systems. Almost all malware and hacking threats can be nullified if your software is always up to date and properly configured.
“We worked with a logistics company that has a big security programme – but was still extremely vulnerable,” explains Simon Bolton, who delivers SAM projects at KPMG. “We found thousands of devices across their IT environment with non-standard software setup. Not only were they overpaying on licenses, but much of the software had never been patched or upgraded with developer updates. Hackers can exploit those types of weaknesses.”
Security vulnerabilities can scupper your day-to-day trading. Bolton says you simply need to ask what a customer would think if they walked into a store and couldn’t use a credit card at your tills; or if your stock control system went down. Knowing how to respond if your 'crown jewels' were compromised is the next step.
That planning is crucial to your business’s reputation, too. Brand risk is now the third-highest area for concern in the CEO Outlook Report 2017 – and we’ve seen plenty of high-profile resignations following cyber attacks that dented company reputations.
“Reputation and brand are often the biggest casualties of a cyber attack,” says Burdass. “Customers are a lot pickier these days and trust is an important factor. Having an incident plan and a team you can call on is absolutely imperative for any mid-market businesses – and makes the biggest difference in reducing the cost of an attack.”
Your first instinct might be to pull the plug on your systems. But that sends out the wrong message, could shut off the business from customers – and might not even help. Getting immediate, expert advice should be high up your incident response plan.
The first seven days will be the most difficult, with IT security teams working to understand the origin of the breach. And with new rules on breach disclosures coming in as part of the General Data Protection Regulations (GDPR) next year, in many cases you’ll need to have an initial assessment within 72 hours.
But even without those new rules, preparedness and prevention are critical for mid-market businesses. You might not think you’re big enough to be a target. But you are certainly big enough to be a victim if poor software management, lax network security or poor employee practices open the door to industrious hackers.