How Relevant is Cybersecurity?
In this day and age, the number of companies that have not considered or implemented cybersecurity protocols yet is astonishing. Perhaps an even bigger concern is the extent to which individuals in senior management and IT roles pose questions such as: “But, why would we need that”? or “It’s not my responsibility, is it”?
However, the candid truth is that cybersecurity needs to be on everyone’s radar right across the organisation, and here is why:
Prevalent Cybersecurity Threats
Data breaches and data leaks are the most common sort of cyberthreat and can quickly escalate to a “high priority” concern. Recently, a range of companies have been subject to such attacks. For example, on 15 September 2022, Uber suffered a cyberattack by an individual claiming responsibility who shared screengrabs of various compromised Uber resources with the media and with security researchers. On a similar scale, Australian telecommunications company Optus lost personal information compromised in an attack, including names, dates of birth, addresses, phone numbers and in some cases passport or driver’s licence numbers.
Similarly, charities collect and store sensitive personal information for the purposes of managing donations, subscriptions etc which often contain sensitive personal and financial data. These can easily be compromised in a cyberattack. Personal data is protected by law under the General Data Protection Regulation (GDPR) and is confidential and should never be disclosed or distributed. Cybercriminals are constantly looking at ways to attack, compromise and exploit weak IT systems, infrastructure, and databases to access sensitive personal data. Some do this for their own personal achievement, some do so in order to sell the data on the dark web for financial gain. Any cyber breach that involves a data leak poses a significant risk for the people whose data was accessed, and the Directors of the organisation would be held liable for the data breach, which could result in substantial fines from regulators and potentially catastrophic reputational damage that could have long-term financial ramifications. The risk of a cyberattack is increasingly becoming an everyday occurrence and this risk is further exacerbated by organisations supporting post COVID work from home (WFH) or hybrid initiatives, where a combination of new technology and staff behaviour could potentially provide rich pickings for sophisticated cybercriminals. At a bare minimum any organisation that is the custodian of sensitive personal data should conduct basic data security assessments to protect and prevent sensitive personal data from being disclosed.
Cybercriminals can also attack unsecure websites which could also create a data security breach, where they can quickly take control of it and change it to emulate an online department store to fool unsuspecting visitors. The likelihood of this happening, however, is dependent on the strength of the security of an organisation’s website and how consistently internal and external user groups follow strong password and authentication protocols. In some instances of cyberattacks, the website and associated data can remain intact, but retrieving the data can be costly and time consuming.
Vulnerabilities to cyberthreats
For many, putting cybersecurity measures in place means relying on and getting support from a third-party IT provider who helps you to navigate around the systems to prevent a potential threat. However, that is only part of the story. Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Synonymous with information technology (IT) security, cybersecurity measures are designed to combat threats against networked systems and applications, whether those threats originate from inside or outside of an organisation.
A company can claim, “they have XYZ in place for this” or ‘they have done XYZ for that.” The security measures they often refer to may be the latest technology system that’s been installed to protect against something unprecedented. However, it is the employees using the technology who can often be the weakest link in the cybersecurity chain. Mistakes can happen and sometimes cannot be controlled… but that shouldn’t be the case when it comes to cybersecurity, when there is so much at stake.
Part of the problem is related to the depth of cybersecurity knowledge or the more often the lack of knowledge that employees possess on the subject. Hackers, phishers, and scammers often end up identifying pathways into confidential company data and accounts due to lack of employee training on cybersecurity protocols. On most occasions, the employees do know how to use a particular system but forget (or have no idea) what controls should be used to protect client and corporate data. So, a set of valid questions would be: How knowledgeable are the staff on cybersecurity protocols? What is multifactor authentication (MFA)? Is web filtering in place? When was the last update made to antivirus or anti-malware tools or distributed software? Who has accountability?
Exacerbating the acute lack of awareness regarding guidelines on Cyber protection, is the absence of an accepted and recognised Cyber Security ‘Gold’ protection standard. The sparse guidelines that do exist vary enormously as does the realisation of ‘Industry best practice”. It is thus unsurprising that Organisations find it difficult to identify let alone follow a ‘standard’ Cyber Security methodology.
How TORI can help?
High emphasis should be assigned on the working relationship with a third-party cybersecurity expert or auditor assigned to a firm. As such, there are multiple facets to consider: Ensuring you have the right IT systems in place, with strong processes and security protocols; Regular training related to cybersecurity for all staff, so everyone understands and is fully appraised of the importance of this issue.
At TORI we review the latest industry practises and artefacts to collate a lay-man language guide on steps you can take:
1) Much like Health & Safety, responsibility for Cybersecurity starts with you! Do not wait for “someone else” to “handle” it, take ownership it’s yours and your organisation’s reputation that is at stake. Any concerns have to be raised as soon as possible in order to act. Moreover, don’t wait for a cybersecurity threat to emerge before acting. Cybersecurity does not have to be complex or prohibitively expensive. There are a wide range of supporting services available that TORI can assist you, such as cyber assessment / advisory.
2) Cybersecurity solutions come in all shapes and sizes. There are a wide range of solutions and services, and these can usually be tailored to meet the individual needs of the organisation. Networking with peers via industry lead bodies or reading about current cyber threats as part of continuing professional development (CPD) can help you narrow down which services you need to seek. TORI can help by providing up-to-date advice on the latest trends and services which are commensurate to your needs.
3) Educate at all levels on cybersecurity policies and measures that need to be put in place. Regular training sessions and drills for employees can help ensure that each team member is equipped to put security policy into practice.
Ultimately, these steps are about doing something to either improve or initiate enhanced cybersecurity to protect your firm, its data and reputation. No firm can afford to wait to be a target for cybercriminals. Taking responsibility and action is key, and that can start with you, today.
Cybersecurity threats can vary from spear-phishing to insider threat, and threats and countermeasures are continually evolving. We can help you with:
Cyber Assessment / Advisory
Application Security Services
Read our case study - Group Security Strategy at a Global Insurance company
Koziol, J. (2021). Most Common Cyber Security Threats In 2022. [online] Forbes Advisor.
Rahal, A. (2022). 3 Ways Enterprises Must Evolve Their Cybersecurity Postures To Prevent High-Profile Security Breaches. [online] International Business Times.
Scroxton, A. (2022) ComputerWeekly.com. Uber suffers major cyber attack.
Taylor, J. (2022) The Guardian. Optus cyber-attack could involve customers dating back to 2017.