There is no doubt that the rise in organisations being subject to ransom demands via software and the internet has focused more attention on information security recently.
And the introduction of legislation like GDPR has focused attention on the broader issue of cybercrime, data and infrastructure security, although if it wasn’t legislation, I question whether there would much interest.
Certainly, businesses are more worried about what a data breach or cyber-attack might cost them than ever before.
Let us not underestimate the issue though as 46% of all businesses have identified at least one cyber-security breach or attack in the last 12 months according to Gov.UK 2017 Survey called the Cyber Security Breaches Survey 2017.
Interestingly, this only takes into account breaches from the perspective of those which come from outside the organisation.
But as the below table shows, courtesy of the World Economic Forum , most threats don’t necessarily come from external sources, but from inside the organisation.
Insurance Claims by Breach
Employee negligence or misuse
Network business interruption
Source: Willis Towers Watson, WEF
While cyber-attacks and breaches from criminals and dodgy governments might make most of the headlines, and in many cases have the greatest financial impact individually, its actually more likely and common to be a disgruntled or slack employee who causes you problems.
Research in the USA on awareness of cyber threats and employee behaviour from over 2000 firms surveyed showed that:
- 46% believe that opening any email on a work computer is safe
- 43% have received a suspicious email at work (with 80% indicating they informed IT)
- 34% have witnessed a co-worker violating company information security policies
- 32% have logged into their work computer using an unsecured public network
- Only 32% report discussing information security risks with their immediate managers
- 22% used personal computing devices not approved by IT to do work at home
- 18% have downloaded software not approved by IT onto their work computers
- 15% have shared network passwords with work colleagues”
Source: Willis Towers Watson
Is that OK? Clearly not, but the size of the problem and its source appear to be clear and actually, that’s a good thing in a way.
You have little control over the actions of those external to your organisation and you are reliant on and must be focused on preventing penetration of your systems.
But you can do a lot to address the problems which may be generated from inside your organisation, and as they say, prevention is better than cure!
What are key causes of internal issues?
The Cyber Security Breaches Survey 2017 found in April 2017 that,
“Similar to the 2016 finding, only a fifth (20%) of businesses have had staff attend internal or external training on cyber security in the last 12 months. And this was much more common within medium and large firms, with emphasis on leaders and IT.”
Is that really going to solve or even scratch the surface of the issue, if it excludes most staff, particularly in SMEs.
The Survey went on to conclude that,
Although having good technical controls and governance measures in place is important, awareness raising, education and training across all staff regardless of specialism is vital too. So, not just IT.
This is because the most common breaches occur due to attacks which exploit human error, which can be based on lack of understanding and ignorance of consequences. Phishing, viruses and ransomware are typical of such attacks.
Leadership has a role and responsibility in raising the profile of cyber security. While it appears that there is training and education for senior executives, this should be distilled through the organisation in heightened awareness and motivation on security and best practice. Simply; leading by example.
And if concerns about the internal environment and culture are not enough, the survey also highlighted those close to the organisation as potential risks. Namely, suppliers and customers.
In the 2017 survey, a fifth of businesses showed concerns about their suppliers’ cyber security.
But less than 20% of businesses require suppliers to adhere to specific cyber security standards or codes of good practice,
This would suggest that there is, for whatever reason, a large number of businesses who are not even addressing or containing this particular risk.
How to address these issues.
Improving training and cyber security awareness across the organisation beyond management and IT departments would undoubtedly be the most effective and efficient method.
You could put more formality into your IT&T Management Systems. For example, ISO27001 ISMS implementation will definitely provide robust systems, policies, processes and procedures to assist you.
But if its not for you for a variety of reasons, there are some key requirements of ISO management systems thinking which could help you. This is not an exhaustive list.
- Leadership, appreciation of its responsibilities
- Leadership, taking issues and security seriously
- Having policies to guide activity
- Analysis of risks and opportunities and setting of objectives
- Clarity of roles and responsibilities within the organisation
- Resources, determining and having the right tools
- Environment, having the right conditions, culture and motivation
- Education, training and competence at the core of the business
- Process based approach, with key procedures documented
- Protection of and from customer property
- Ensuring supplier control and relationships
What to do now.
Get in touch because we can help you with implementation of ISO27001 and discuss other tactics to address your concerns about cyber security.
Spedan – We Inform, Support and Sustain