Executive Insights on Information Security
“How resilient are we – really – to a cyber attack that gets through?”
That’s what you should ask your colleagues to consider when you share these insights.
Cyber developments your colleagues should know about
“We get a lot of people hanging up" is the perhaps most remarkable insight from the UK’s National Cyber Security Centre’s Annual Review, published on 16th October.
The NCSC explain that cyber resilience preparation is so poor at some organisations that no-one even takes the call from NCSC when they telephone to offer help during an attack.
Attacks by Sector
The business sectors that are most scanned, hacked and exploited change often. At the moment, the Accounting, Construction and Finance sectors experience the highest number of bad actor scans. Within Finance, attacks on Cryptocurrency Platforms doubled this summer, and hackers stole over $100m from cryptocurrency platforms in the last Quarter. Some in Finance worry that the new “open banking” regulations will make it harder to protect the core payments infrastructure, because it increases the attack surface available to hackers. Of course, the development that is doing most to increase the number of devices by which a hacker can enter your network is the Internet of Things (IoT).
Internet of Things
The difficulty of making IoT devices resilient to hackers was demonstrated by a new report on the US Military.
When testing internet-connected weapons systems, the US GAO found “it took one hour to access and one day to gain full control of the system during a test.”
Even more worrying for resilience: “only 1 in 20 cyber vulnerabilities identified in a previous assessment had been corrected.”
To build cyber resilience after WannaCry, the NHS has announced this month its plans to invest over £250 million.
Meanwhile, in the Finance sector, 22% of banks surveyed have increased their investment in cyber defences by 100% or more over the past 3 years.
In banking, about half of companies are increasing investment in security Intelligence Platforms, security for Internet of Things, and Blockchain.
Banks are having some success against fraudsters, with 66% of the £1,064m reported attempts at Unauthorised Financial Fraud prevented by UK Finance members in H1 2018.
A lack of cyber resilience among staff means phishing continues to grow. Currently the most frequent payload for successful Phishing attacks is cryptomining software (up 459%), followed by ransomware.
Interestingly, new research shows that Friday is the “safest” day against Phishing, with businesses losing half the number of sensitive credentials at the end of the working week, compared to Tuesday-Thursday. Of course this statistics might
reflect that fewer emails are opened (after lunch?) on Fridays.
Security concerns are slowing technology investments in certain areas. A report published by AFME (Association of Financial Markets, Europe) found that only 29% of leading banks believe there’ll be rapid adoption of public Cloud in the next five years, because of security concerns. This survey was released before Bloomberg’s shocking report that China has placed spy chips at the main cloud providers – since disputed. A key resilience lesson is that organizations should be wary of outsourcing all security measures to cloud providers, as Kmart and Sears both recently learnt to their cost.
Already though, 20% of sensitive customer and corporate data resides outside the corporate perimeter.
Privacy Budgets help Cyber Resilience?
Research published in October 2018
found that the average spend on the Privacy budget is equivalent to $182 (£140) per employee across Europe, vs $114 (£87) in the USA.
Typical spend just to comply with GDPR was $3m (£2.3m). Of this $3m, about $1m has been spent on staff, $500k each on consultants and external lawyers, plus
$650k on technology and $350k on training. Compliance with the GDPR “Right to be forgotten” and “Access Requests” are proving most difficult for DPOs.
In the UK, the number of breach reports quadrupled in the months before and after GDPR. But remember the UK’s ICO (Information Commissioner’s Office) has a budget of only £27m, of which two thirds is spent on its 480 staff and contractors. The ICO issued fines totalling £1.29m for 11 for data security failures in the last year, after reviewing 3,156 data breach reports. In other words, only 0.3% of such reports lead to a fine by the privacy regulator.
Data breach impacts
Research published in October 2018 analysed the consequences of privacy breaches. In 52% of cases, some customers ask for compensation, 46% result in major reputation loss, 35% cause customer churn, 34% lead to drop in stock price, 31% result in customer legal action, and executives were let go after 23% of major data breaches.
Suppliers (Information Processors)
These cause many of the most serious data breaches. And 25% of organisations have already changed vendors in response to GDPR, with a further 30% thinking about future vendor changes.
Article 32 of GDPR helps with vendor resilience, requiring you to regularly evaluate effectiveness of security measures at information processors.
But 63% of organisations have not yet assessed the cyber security of all vendors, so we provide graphs
like this to automate the task.
Rapid Evolution of Cyber Threats
The number of unique cyber incidents is growing about 47% per year, but some threats are rising much faster. For example, attacks on Microsoft IIS Web Servers (used by 9% of web sites increased almost 1,000 times in the last quarter. New application exploit kits are released almost daily, while most organizations refresh security practices perhaps once a year and security solutions every three or four years. Already, standard ways of detecting and interrupting an attack fail to defend against the compressed techniques now used in 88% of attacks.
With so much data outside the corporate firewall, experts emphasize resilience and recovery as much as prevention, so engage in simulations this one. Stay up to date with executive insights on cyber leadership, follow Cyber Rescue.
Want to prepare for the cyber security challenges you will face?Improve your strategies for training and crisis management.
Register for the AICPA & CIMA Cyber Security Europe Conference