The latest government ‘cyber governance health check’ and a survey of the UK’s top 350 companies revealed that more than two-thirds of boards have not received training to deal with a cyber incident. IT security experts commented below.
Mike Simmonds, Managing Director at Axial Security Systems:
“I am constantly surprised by the lack of preparation we experience in the corporate world when it comes to cyber-security; we see a relaxed attitude to securing hardware, data and communications almost every day in interactions with existing and new customers. One of the most worrying aspects is the lack of understanding of the serious nature that ignorance brings.
“Ignorance of basic security practices and operations that must be at the top of every companies ‘to do’ list.
“The government has taken the need for education very seriously and have set up accessible bodies to educate at every level of a business, but it is still incumbent on the business leaders to oblige their staff to follow and certify themselves against this training – and re-visit the skills that they have learned on a regular basis – it is vital to stay current.
“Cyber-security is the same as road-safety. It should be taught from an early age, you never stop learning and practicing what you have learned, and it needs to be taken very seriously. When you think that ‘it will never happen to me’ it probably will, or in the cyber-world, it might already have happened, but you have yet to notice.”
Brian Vecci, Technical Evangelist at Varonis:
“GDPR is making it mandatory for organisations to keep their data private. Unfortunately, most have a long way to go in order to get there. Privacy regulations like GDPR are fantastic for consumers–they get extra assurance that their personal information is being protected.
Protecting your customer’s and partner’s data might seem like a low bar to meet, but according to a recent survey of IT leaders in the UK, Germany, France, and the US — where GDPR can apply if you’re doing business with European consumers — 75% of companies say they’ll struggle to be ready by the deadline. It sounds crazy, but it will take years for some companies to make sure this data is secured properly. More than half–52%–say they can’t even find personal information or have any idea who’s got access to it, who’s using it, or when it should be deleted. Even more say they can’t meet GDPR article 17, the “right to be forgotten,” meaning they can’t go out and delete your data if you asked.
GDPR may help elevate data security and privacy at the top of organisations’ to-do lists, but many organisations are struggling with just knowing where it all is. The threat of heavy fines may help change the economic equation and spur organisations forward, but increasing threats like insider breaches and cyberattacks like ransomware have been helping many organisations make these kinds of changes for years. GDPR mandates some basic, common sense controls for data that organisations will benefit from following whether they’re subject to penalties or not. Just knowing where that kind of sensitive data is, building privacy and security into the design of the system, limiting who can access it all and monitoring everything will mean that you limit the potential damage of any kind of break or attack and you’ll know far faster when something goes wrong.”
Marco Cova, Senior Security Researcher at Lastline:
“The recent waves in ransomware attacks have shown that cyber attacks can have significant impact on the real-world operations of the affected organizations: we have seen hospitals in the UK forced to send away patients during the WannaCry attack; employees at large and small companies unable to conduct business for days on end; and companies reporting large significant losses, for example Maersk just reported a 200-300m USD lost revenue from the Petya attack of last month. These are tangible, material consequences from the attacks. If one was to find a silver lining, I would say that these ransomware attacks will probably do more to raise the security awareness of vendors and organizations than many security conferences.”
Andre Stewart, VP EMEA at Netskope:
“This report should be a wake-up call for UK businesses. While it’s positive to see that cyber risk is seen as a top priority for boards, one in ten operate without a plan in place for responding to a cyber incident and over two-thirds have not yet received any incident response training. This is madness when faced with an expanding threat landscape and an increasing appetite amongst cybercriminals for data of any kind. The breadth of attacks over the last 12 months, from the worldwide reach of WannaCry to the targeted blackmailing of hacked organisations like HBO, makes it more than clear that every organisation needs to be prepared for the worst. Investments in technology and shifting to more efficient cyber policies can limit risk and keep cybercriminals at bay but organisations have a real responsibility to their customers. This means being accountable for their data, keeping it private – and being prepared to act quickly if they are the victim of an attack.
“Businesses must undertake their due diligence. Beyond preparing for an incident, they should be monitoring access to data across both the cloud and on premise. As critical data continues to spread beyond the traditional perimeter network and employees increasingly look to cloud services to get work done more efficiently, this vigilance will become even more important.”
Laurance Dine, Managing Principal, Investigative Response at Verizon:
“Today’s government report holds no real surprises. Whilst we’re seeing a growing awareness of the risk that cybercrime presents, the majority of organisations are still underprepared to deal with its impact. A lot of this comes down to a lack of basic cyber-hygiene, such as not having basic security controls and processes in place, or failing to train employees – or in this case business leaders – on how to deal with the threat.
“Indeed, this has been a consistent theme of Verizon’s annual Data Breach Investigations Report over the past 10 years. We’ve seen time and again that the majority of data breaches could so easily have been prevented if basic measures and protocols had been in place. For example, we often see that around two-thirds of breaches are traced back to weak, stolen or lost passwords; which could easily be prevented using two-factor authentication.
“Ultimately, we’ll continue to experience the same old problems until organisations start to take cybersecurity more seriously; treating it as a business-level concern, rather than an IT problem. The fact that less than a third of boards receive comprehensive cyber risk information clearly shows that this just isn’t the case today.”
John Smith, Principal Solutions Architect at Veracode:
“The government’s Cyber Governance Health Check has highlighted the serious concern among executive board members for the increase in supplier liability when data breaches occur. With Gartner reporting that over 42 per cent of CEOs have begun digital transformation in their business, the consumption of software and applications has risen dramatically – underpinning an increasing number of business operations. However, this introduces increased risk into the organisation, with software vulnerabilities constantly targeted by cyber criminals to insert malware or leak data. And while businesses can mandate secure application development and security testing into their own business, the risk of a supplier being exploited with this attack vector is high.
Organisations need to introduce governance and controls to ensure that best practice application security is rolled out across the entire company and its associated partners. This is something that the manufacturing industry, for example, has been particularly strong at – as existing controls have helped them to enforce the mandate anywhere they have an application – both in their own company and with their suppliers. And this kind of security process need not aggravate suppliers or partners, indeed some forward-thinking companies have actually paid for the necessary appsec solutions to help their partners and suppliers become compliant with their company policies.
With GDPR on the doorstep, businesses in all industries need to look at how they can ensure that the software and applications that their suppliers are using meets their own security standards. Only this way can they ensure that their suppliers and partners aren’t risking their compliance, and perhaps more importantly their security.”
Dr Malcolm Murphy, Technology Director for Western Europe at Infoblox:
“While this year’s Cyber Governance Health Check report certainly shows that considerable progress has been made, unfortunately it’s clear that cybersecurity is still not a top priority for all UK organisations.
“10 percent of boards surveyed still don’t have a plan in place to respond to a cyber-incident – making themselves instantly more vulnerable. In light of the devastation caused by global cyberattacks already this year, all companies need to ensure they have a thorough plan of response as a matter of urgency.
“DDoS attacks in particular can significantly disrupt an organisation’s services and when this happens a plan of action forms a vital part of the defence. Such attacks are often used by criminals as a smokescreen for other nefarious activity such as data theft or extortion, and organisations need to have a clear process in place to assess the extent of the breach and prevent any further damage.”