Cybersecurity progress being made but people remain weak link

15 December 2017 Consultancy.uk

Poor cybersecurity has been estimated to cost up to $480 billion in lost GDP globally. A new survey has found that the US and UK are making major progress on the matter, with around 70% of both respondent groups stating they had improved business processes.

Cybersecurity has increasingly climbed the corporate agenda as the scale and sophistication of attacks increases. A recent report from Grant Thronton showed that cybersecurity related incidents are estimated to have cost businesses $280 billion in 2016 globally. In a new report from Willis Towers Watson, current trends in the UK and US cybersecurity defences are examined.Progress made in respective areasResearchers expect progress in the area over the coming three year spell, as more companies develop defences across organisations to mitigate the vulnerability to a cyberattack, compared to three years earlier. The study notes, however, that two areas are to see decreased focus, with ‘improving the technology systems and infrastructure’ falling 8 percentage points among respondents’ priorities in the US to 68%, and 9 percentage points in the UK to rest at 66%.

Over the next three years, business will be made on ‘improving business and operating processes’ instead, which will rise by 14 percentage points and 23 percentage points in both the US and UK respectively to 72% and 69%. ‘Addressing the factors tied to human error or actions’ will likewise see advances, rising by 22 percentage points in the US and 35 percentage points in the UK, to 74% and 75% of respondents respectively.

One of the key methods of gaining entry to an organisation is social engineering. The technique basically leverages weaknesses in staff procedures, peoples’ natures and other facets of the social realm, to gain access to key information, which can then be leveraged in a more wide-ranging attack. Training staff to better avoid falling into one of the many traps set by adversaries is, as mentioned before, increasingly seen as a key route to limiting the utilisation and effectiveness of the vector.Behaviour in linked to training timeOther areas saw varying levels of time invested into training, although the research noted that more time spent on training saw improved results for outcomes. To map outcomes, researchers from the consultancy firm categorised four different groups. These include: “Alert’, or those who protect personal information in daily life and are aware of information security at work; ‘Comply’, those who follow data/information protection policies at work but are careless on a personal level; ‘Ignore’, those who pay attention to protecting personal information, but who don’t act with the same care at work; and ‘Unconcerned’, those whose technology usage patterns at home and work may lead to potential cyber risks.

Education is key

The research noted that the difference between less than 20 mins of training and at least half a day saw a considerable increase in the Comply category, up from 17% to 38%, alongside a small increase in the Alert category, and a large decrease in the Ignore category. The research also noted that, overall, generation Y respondents were the least careful with data protection and information security, reflecting a need to develop training protocols specifically for the group. Time spent on cyber training in the last yearOther areas in which differences were noted between levels of awareness and cybersecurity related work safety related to occupation and gender. Interestingly, non-IT workers were considerably more likely to be alert compared to IT workers when it came to data protection and information security – the percentage of those alert between the respective groups stood at 42% and 20%. Those in IT were also slightly more likely to be in the Ignore category, at 24% and 17% respectively – possibly out of complacency due to their relative expertise in the area.

The move to improve the wider cybersecurity landscape by offering a variety of different insurances is creating a burgeoning ecosystem. Insuring against largest scale attacks remains problematic, however, with the potential high-cost of covering certain types of events, such as the Sony or Yahoo hacks, being prohibitive on the industry. In smaller cases, however, products have become available.

In terms of the kinds of breaches that garner claims, employee negligence or malfeasance tops the list, at 66% of all claims. External factors take the number two spot at 18% of claims, while 9% fall under other. Cyber extortion and network business interruption, are relatively unused. Companies in the UK are increasingly focused on helping companies deal with training personnel to avoid the worst kinds of attacks.

More news on

×

Boards of top UK firms must do more on cyber-awareness

06 March 2019 Consultancy.uk

A new report released by the UK Government has found that UK businesses need to do more to build awareness in their firms, if they are to fend off cyber-attackers. The study found that an all-time high of 72% of businesses now see cyber-threats as a top risk, but just less than half of UK boards do not have a comprehensive understanding of the critical assets at risk from cyber-attacks.

Digital technology has revolutionised modern business, with a rate of innovation present in many companies that arguably eclipses that of the industrial revolution. The huge opportunities presented by technology mean that many firms have rushed to digitalise their offerings; but while this means they are able to take advantage  of the latest trends, it has also opened innumerable doors for cyber-criminals looking to use technology to loot corporations from across the globe.

Illustrating the extent to which cyber-crime has boomed in the last decade, in the final quarter of 2018, a study commissioned by Bromium and presented by Dr. Michael McGuire at RSA found that the cyber-crime economy has grown to an estimated $1.5 trillion dollars annually. That is only a conservative estimate – but that conservative figure alone is so large that if it constituted a national GDP, instead of a collection of digital frauds, it would be the world’s 13th largest economy.

Amid this state of play, it is easy to see why cyber-security has become one of the key watchwords of any board room in the 21st century. The cyber-security consulting segment has boomed, with the world’s 10 largest operators in the segment bringing in more than $11 billion in related fees, as businesses tap external expertise to help find areas where they can improve their defences. As noted by a new UK Government report, the legacy of this spike in consulting activity is that almost all UK businesses now have a cyber-security strategy, with only 4% admitting otherwise. 

Cyber threats are increasingly seen as high risk in comparison to other risks that businesses face

This comes at the end of a sea-change in attitudes toward cyber-security over the last five years. According to the 2018 FTSE 350 Cyber Governance Health Check, in 2013, the largest minority of businesses felt cyber-threats represented a low operational risk, at 38%, compared to just 25% who saw it as a very high group risk. Now, the two opinions have seen a dramatic reversal, with only 6% seeing cyber-security as a low threat, compared to a huge 72% of businesses which see it as a very high risk. Considering the high profile hacks that occurred in the interim, this is perhaps not that surprising.

However, while cyber-awareness in general is at an all-time high, this is where the positive news ends. According to the study, while the vast majority of firms in the UK have a cyber-security plan in place, only 46% have a dedicated budget to enact that strategy. Should their financial positions change rapidly in the near future – something increasingly likely with the prospect of a No Deal Brexit still looming over the horizon – then that plan could fall by the wayside, with the funding shortfall exposing firms to even greater financial damage in the near future.

The study, released by the Department for Digital, Culture, Media & Sport (DCMS) in March 2019, was undertaken in partnership with Winning Moves and support from EY, KPMGPwC and Deloitte, working with their FTSE 350 clients to participate in the survey. The study also found that while most businesses have incident response plans, most are not testing them: 95% of FTSE 350 businesses have an incident response, but a mere 57% test their crisis incident response plans regularly. With companies facing the consistently evolving threat of cyber-attacks, that could leave major chinks in their armour undiscovered until it is too late.

Board understanding of business-critical assets

Similarly, many firms also seem oblivious to the threat posed by their wider supply chains, which if left unchecked, provide hackers with a blank cheque to access company data. A majority of boards do not recognise supply chain risks beyond the first tier, as 77% of FTSE 350 businesses told researchers they did not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.

Meanwhile, almost half of UK boards do not understand the critical assets at risk from cyber-attacks. 54% of businesses in 2018 rated the board’s understanding of critical information, data assets and systems as comprehensive, while of that, only 12% said understanding was the best it could be. This compares to 43% of boards in 2017 and 32% in 2015/16 stating they had a clear understanding, suggesting that key progress is being made, but also that there is a great deal of room for improvement.

Commenting on the findings, Digital Minister Margot James said, “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”