Will 2016 be the year we improve?
I have just been reading the latest Ponemon Institute report: 2015 Cost of Cyber Crime Study: United Kingdom. It will not surprise any reader that Cyber Crime in the UK is on the increase. There have been a number of high profile breaches in 2015: Talk Talk and Carphone Warehouse to name but two. But how many are we not informed about? What is industry and not just the IT industry doing to stop these attacks?
At the time of the Talk Talk attack the Institute of Directors (IoD) acknowledged that only “serious breaches” made the headlines, but attacks on British businesses “happen constantly”. But is this because we are not learning from the attacks that happen? After all there isn’t really a spirit of openness around such things. But there is plenty of FUD (Fear Uncertainty and Doubt) spread by the knowing and some not so knowing professionals.
If we take the Talk Talk example. In some ways I feel a little sorry for them, in some ways I don’t. The attack was rumoured to be a SQL Injection and the perpetrators were described in the press as clever, talented and sophisticated. In reality they were none of these. SQL Injection has been a vulnerability known about for decades and so has the prevention method. So why was it not applied? The tools the ‘hackers’ used would have been able to exploit the vulnerability with relative ease. It was also only rumoured that the attack was SQL Injection, Talk Talk could not confirm this.
Without this information being shared, how are organisations going to understand the true scale of the Cyber Problem? I can understand many senior board members feeling that they have everything in place and the “it will never happen to us” mentality. But the risks are high. Rarely in business are attacks targeted, they are usually indiscriminate and opportunist. Businesses need to adopt the mentality of locking the metaphorical doors and windows of their IT systems, forcing the opportunist elsewhere.
Cyber attacks are going to be a fact of life, but only if we ‘pull together’ as a society, can we start to defend ourselves. So what do we need to do:
- Make it mandatory to report a cyber attack, the methods used and the affects on the organisation;
- To achieve point 1 stop vilifying the victims and learn from their ‘mistakes’;
- Make it a legal requirement to have a board member responsible for the security of systems. I am amazed that 40% of companies still don’t have board level reporting of information security.
- Put information security on a footing equal to Heath and Safety (without the over zealousness).
Government are taking steps in the right direction: establishing the National Cyber Centre for one. CiSP has been allowing organisations to share Cyber Attack information for a few years now, but I wonder how many boards are aware of the nature of attacks in their sectors.
In 2016 let’s move to a more proactive approach to securing systems and information.
Main image by: Alexandre Dulaunoy