Cyber crime is a growing problem. Last weekend’s Sunday Times reported that the new breed of cyber criminals view themselves as digital Mafiosos. It also said, quoting IBM, that 60% of cyber breaches owe their genesis to insiders, of which 44.5% are “malicious” insiders – employees deliberately setting out to do something criminal. That may seem surprisingly high but a survey in the US last year reported that 1% of employees said that they would sell their company’s data for as little as $10. When the price got to $1,000, 15% said that they would.
Even the vaunted IBM can only ever SWAG (scientific wild-assed guess) at these statistics because, no-one really knows – victim secrecy and unidentified crimes ensure that no-one really knows. So, whatever numbers you are looking at, they are likely an underestimate. Nevertheless, for the sake of this blog, let’s assume that IBM’s SWAG is in the correct statistical ballpark.
We do need statistics, even if they are based on a guess. Without them we don’t have a start point and therefore it is difficult to make a plan. Without a plan it is difficult to develop a budget. When it comes to InfoSec (of which cyber security is a part), we need to make sure that our plan is sufficiently flexible that it can (and does) change with the facts. In cyber security, one problem we have is that those who provide our statistics tend to be vendors. They have a tendency to focus on statistics which support their sales forces. If they sell something, they’ll have a statistic which supports the need for their gizmo. If they haven’t got a solution, they will tend to keep quiet about the problem. This is hugely significant for smaller companies who tend not to have the skills, time or money to throw around and must rely on what the ‘experts’ tell them. Frequently, they are advised badly.
The impact of cyber crime on SMEs
Zurich Insurance has just released a ‘global’ survey looking at the potential effect of cyber crime on SMEs. 49 pages of graphs inform us of respondents concerns and also shows some worrying complacency. The survey highlights that concerns are broadly similar, regardless of region or nationality. Predictably perhaps, worries focus around obvious potential domino threats: 1. Theft of customer data; 2. Reputational damage, and; 3. Business Interruption. Theft of customer data is the #1 worry everywhere. General confidence of being able to keep out of the way of cyber crime is declining. Yet, interestingly the ‘too small to be of interest” approach (which is absolutely wrong!) remains far too prevalent.
The Sunday Times points out that SMEs (under 2,500 employees) are the target of three-quarters of all cyber attacks – up from 50% four years ago. Small companies (below 250 employees) have gone from being the victims of 18% attacks four years ago to 53% last year, a whopping threefold jump. Both these statistics comprehensively debunk the ‘Too Small’ nonsense.
Life in Cyberland is becoming more dangerous. To reflect this, and the need for companies to take more care with data, fresh laws are being enacted. These laws are placing direct responsibility on executives. Post-event finger pointing will no longer be permissible.
Technology use comes with risks
No business today can operate without using technology. The vast majority of ‘Business Risk’ is derived from how the workforce interacts with their technology. Even where a crime is committed by an external party, it is frequently the case that a (virtual or real) door was opened by someone within. If the workforce – everyone, not just IT – are not aware, trained and managed, there is only one guarantee – that, at some stage, the company is likely to become victim of a successful cyber attack. This is a Risk matter. This is about Business Continuity, and perhaps survival, and must be supervised closely by the Board/C-Suite. If a company has not identified its ‘Risk’ it cannot begin to assess the ‘Threat’. If it hasn’t done that, it can’t make a meaningful plan. This isn’t about expensive technology or software, to some extent that is just a distraction.
It is about simple cyber hygiene, having an effective InfoSec plan which is owned and supervised by the Board, and making sure that it is followed.
Think human, BEFORE you think cyber.
Think security, NOT compliance.
Be Cyber Sure
