Cybersecurity is an increasing concern for companies. Last April, the UK Department for Business, Innovation & Skills (BIS) published the 2014 information security breaches survey: technical report. The report comprises the findings from two online questionnaires completed by 1,125 respondents, and contains a number of important cyber-attack statistics for both large organisations and small businesses.
The results indicate that while UK businesses are paying more attention to cybersecurity, the scale and cost of security breaches has nearly doubled in the past year, with losses from the worst breaches ranging between £600,000-£1,500,000. In the United States, the number of companies reporting concerns about cybersecurity to U.S. regulators more than doubled in the past two years. to 1,174.
The following cybersecurity concerns affect corporates, start-ups, investors and shareholders. and highlight some of the obstacles to addressing cyber-attacks:
Businesses still continue to view cybersecurity as a purely technical matter. Businesses tend to focus on technological vulnerabilities (i.e., insufficient patching of servers or routers) rather than protecting the most critical business assets or processes (such as customer credit card information), which concern customers and consumers.
Businesses need to adapt to address security risks from new technologies. Businesses need to address security risks from the cloud, social media and mobile using a more holistic approach rather than protecting digital assets by targeting the data centre perimeter and managing user access, authorisation, and authentication from known locations and devices.
Businesses need to adapt to the challenge presented by the pervasive use of personal mobile devices by staff and security. A robust Bring Your Own Device policy ensures that employees are aware of the risks introduced when sending or receiving corporate information on a personal smartphone or tablet, and should address effective security to comprehensively manage user identity and access to sensitive corporate data.
Businesses need to make cybersecurity a board issue. C suite engagement can help address cybersecurity threats effectively to protect critical information assets without placing constraints on innovation and growth.
Businesses need to monitor cybersecurity and implement a rapid response program to address breaches. Audit committees should take a risk-based approach and address cybersecurity risks with appropriate frequency. Doing so would help minimise the risk that arises from such events as stolen passwords and unauthorised access. In addition, the board or the appropriate committee should satisfy itself that management has in place the resources and processes necessary to respond to a breach in order to minimise the effects. By having well-documented information security controls, processes, or certifications in place, businesses increase their appeal to clients by directly addressing any concerns.
Businesses need to adapt to deal with more sophisticated cybercrime. Antivirus software and firewalls alone are no longer adequate. As attacks against large companies such as Target, Adobe and Sony illustrate, businesses can no longer work on a prevention-first security strategy which purely relies on protecting the perimeter. Businesses need to innovate and focus on protecting their core data through data encryption, or even shape-shifting botwalls.
Failing to address these issues may result in a cybersecurity breach leading to lost revenue and significant damage to a business’ brand as it affects both customer and investor confidence. In addition, a breach may result in remediation costs to customers or partners, litigation, compromised intellectual property, and cuts to staff.
Both large companies and start-ups need to be aware of these risks and take steps for planning, implementing, and reviewing cyber-defences. Larger organisations may consider minimising their risk by making sure that all entities they do business with adhere to these standards.