Low data protection and poor staff training leave businesses open to cyber threats

07 December 2017 Consultancy.uk 5 min. read

The increasingly sophisticated techniques employed by cybercriminals mean that digital data is increasingly at risk. However, despite the fact most attacks can still be thwarted by relatively basic cybersecurity approaches, 35% of businesses say that their data protection policies are either situational or non-existent. A new report has found that training staff is a critical measure that companies can commit to for improvements, while patching vulnerabilities remains key for best cybersecurity practice.

Due to its defensive nature, cybersecurity is often seen as a cost post for businesses, while its benefits remain hard to see. However, with increasingly high-profile break-ins, business disruption, and direct losses as well as reputational damage costing companies large sums; investment and insurance are increasingly important.

Further digitalisation and new technologies are increasingly giving rise to more sophisticated adversaries. Modern cybercriminals exist in a more fluid and high-risk environment, prompting companies to consider ways of quickly building defensive capabilities. In a new report from EY, titled ‘Cybersecurity regained: preparing to face cyber attacks’, the consultancy firm explores the threat landscape and how companies are reacting, as well as strategies that can mitigate risks. The report is based on responses from 1,200 global C-level leaders.Threat landscape

The current threat landscape can vary considerably. Common attacks, perpetrated by various elements, from competitors to more organised but amateur criminal groups, use basic vulnerabilities, often targeting weakly defended businesses and users, by exploiting freely available hacking tools. When the WannaCry hack hit the NHS, it did so largely thanks to poorly maintained legacy editions of Windows XP, which had not been updated by the cash-strapped institution.

However, more sophisticated players, such as organised hacking groups, industrial espionage teams, cyber terrorists and nation states have considerably more sophisticated methods at their disposal, using everything from exploiting weak staff members to ‘zero day’ exploits in common software to gain entry to systems. Infiltration could involve planting members, exploiting vendor/suppliers and more targeted software engineering aimed at a particular system.

Threat vulnerabilities perceptions

Yet, as hackers become increasingly sophisticated, the rapid pace of technological change and a lack of inherent concern around potential vulnerabilities also opens up a swathe of new attack vectors, making it hard to defend boarders for businesses and users. Smart devices, particularly (the industrial) Internet of Things are ripe for exploitation, while business laptops used privately represent a risk vector too. Drones, as well as other new technologies such as AI, could also pose additional threats if used to gain covert access to networks, or to identify holes in defences.

Mitigating risks

Businesses believe that their highest level of vulnerability resides in staff. The portion of respondents citing staff as one of the top two security risks has increased steadily since 2015, up from 44% to 60% in 2017, while outdated information security controls, or architecture and unauthorised access have seen drops since 2016, falling from 48% to 46% and from 44% to 37% respectively.

The two areas in which the highest number of respondents state that there is threat exposure; malware and phishing, have seen considerable increases, up from 44% in 2015 to 64% in this year’s survey. Internal attacks have dropped to the lowest level recorded, while cyberattacks have seen decreases too.

Mitigating risks

According to the study, a large number of possible attacks can be prevented by blocking the most common vulnerabilities. As it stands, a number of vulnerabilities are relatively well understood, preventing a significant number of vectors with relatively low investmentTraining staff, patching key vulnerabilities and developing protocols, as well as wider policies are the most effective way to reduce risks.

As it stands, however, three quarters of those polled said that the maturity of their current vulnerability identification technique is low to moderate, while 35% replied that their data protection policies were reactive, designed on an ad-hoc basis, or non-existent – even with GDPR rules coming into effect next year. Other areas of concern included companies (12%) that lack a breach detection programme or those (38%) that lack an identity and access programme.

Paul van Kessel, EY Global Advisory Cybersecurity Leader, said, “The most successful recent cyberattacks employed common methods that leveraged known vulnerabilities of organisations. Also, the increasing hyper-connectivity and waves of new technology, while creating huge opportunities, introduces new risks and vulnerabilities across the organisation. Therefore, as organisations transform into the digital age, they must examine their digital ecosystem from every angle to protect their businesses today, tomorrow and far into the future.”