Investing in cyber security for your business, is it worth it?
We read every day about new cyber exploits, large businesses have been hacked and financial information stolen, political parties have their websites defaced, fake news is proliferating, ID theft is seemingly rampant. Our corporate and domestic email inboxes are filled with spammed rubbish.
Politicians, corporate board members and individuals ensure that the call for countermeasures is deafening. Social Media is littered with opinion and chatter about hacking. In IT employment qualified security professionals are in heavy demand.
But in the face of all that, Cyber Security is seen as a grudge purchase. The perception seems to be that an organisation is spending money on something that seems to bring little by way of measurable benefit. But, just like saving on insurance, the cost of having no or inadequate cyber security can be far greater than the cost of having it.
Businesses are critically dependent on their computer systems. Most businesses use them for financial administration, sales and marketing and payroll. Depending on the business, they may also use them in manufacturing and distribution and other related areas.
Compare the regular cost of cyber security with the cost of losing all your computer systems and business data to a ransomware attack. What is the cost of your biggest competitor coming into your systems and stealing your latest business strategy or research and development plans? If you run an online business how would you survive malware making your web-based shop unavailable to purchasers?
Quite simply, having your systems open to malware and data theft could be fatal to your business. In addition, many business investors, including your bank will be reluctant at the very least to support your business under such circumstances. In some jurisdictions, having no cyber security could leave you open to ruinous litigation.
Is it worth it – a resounding yes. In the words of Margaret Thatcher – there is no alternative.
What threats should your cyber security defences guard against?
Phishing and SpearPhishing
The first threat is your users. The FBI reckon that over 70% of all cyber incidents are because a user made an inadvertent or deliberate error. The most common is a phishing attack. A user clicks on a link in an email from a trusted source, or on a website and is taken to an invalid location.
At that location, malware downloads onto the user PC, possibly propagates through the corporate network, activates and does its thing. That thing might be recording and passing back user logon information, stealing financial or confidential company information, or just messing up your systems and data.
Phishing is delivered by using a general email list of probably several thousand or hundreds of thousands of email addresses. A more sophisticated version, spearphishing, targets specific individuals in the organisation the hackers expect will have information useful to the hacker.
Users must be educated not to click on email links or links on websites that appear in the slightest dodgy. The must treat their logon information with the same care they treat their ATM PIN number.
Bring your own Device
The use of user-supplied smart devices, tablets and phones over WiFi networks has been a blessing to Corporate IT departments in that it reduces capital spend budgets. It is also a curse in that the IT department now has significantly reduced control over the devices that can be attached to the corporate network.
The ability for an unknown individual to attach a potentially malware riddled unknown device onto the network gives IT managers nightmares. The major implications are for malware control, authentication and data transfer:
- Stringent verification and if necessary, cleansing of attached equipment. Anything attached to the network must be scanned for malware before allowing any contact with the active network. This should also apply to any devices like flash drives attached to user PCs.
- User Authentication. Everyone connecting to the network must have valid logon credentials that identifies them as an authorised or guest user. Nowadays two-step authentication is becoming the norm.
- Data Transfer. Transferring data outside the organisation, and for particularly sensitive data inside the organisation must be strictly controlled.
From a technical standpoint, there are fewer attacks against the core network itself. However, having said that, Denial of Service (“DDOS”) against corporates are fairly common, as are penetration tests to see if the cyber defences can be breached and sensitive information stolen.
While an attack on a user PC may not affect the entire network, attacks on the core systems can bring everything down. A successful ransomware attack on the core servers will be devastating for any organisation. A counter strategy is essential.
To answer the question – Is it Worth Investing in Cyber Security, the answer is an unequivocal and emphatic yes. The very survival of your business could be at stake if you don’t.