Cybersecurity has become a top priority for senior management as organisations seek to protect against the growing threat of attack from individuals, organised crime networks and even governments.
From destroying a company’s reputation to wiping out a nation’s power supply, cybercrime has become one of the biggest threats to business in the twenty-first century. No company is immune to attack and the results range from embarrassing to devastating.
Last year saw a sharp rise in cyber attacks including a serious breach at US credit report giant Equifax which exposed almost half the country to global ransom campaigns that cost companies millions of dollars, according to CNN.
Today’s cyber risk is not just a question of individuals or concentrated groups of hackers attacking holes in security for personal gain or simply for fun. There are increasingly widespread concerns over state-funded interference that could cripple businesses and services, and temporarily wipe out a nation’s power supply.
Fears of a so-called ‘black sky’ cybersecurity attack capable of knocking out power for weeks were stoked recently when UK Defence Secretary Gavin Williamson alleged Russia had been spying on the UK’s energy infrastructure and could cause “thousands and thousands and thousands” of deaths if it crippled power supply, according to an article in The Daily Telegraph in March. This followed accusations from the United States that Russia was behind a campaign of cyber attacks targeting the US power grid.
While we are not all likely to be plunged into darkness just yet, and there may well be some political point-scoring going on, it is clear cyber risk has taken on a far more serious and sinister tone in recent months. However, the potential for country-wide attacks shouldn’t overshadow the breaches occurring every day to businesses of all sizes in all industries around the world.
Cyber incidents targeting businesses nearly doubled from 82,000 in 2016 to 159,700 in 2017, according to the Online Trust Alliance (OTA), an Internet Society initiative promoting the evolution of the Internet for the benefit of people throughout the world. Since the majority of cyber incidents are never reported, OTA believes the actual number in 2017 could easily exceed 350,000. The Online Trust Alliance is an initiative within the (ISOC), a global non-profit with the mission to promote the open.
“Surprising no one, 2017 marked another ‘worst year ever’ in data breaches and cyber incidents around the world,” according to Jeff Wilbur, director of the OTA initiative at the Internet Society. Commenting on the OTA’s website, he says: “This year’s big increase in cyber attacks can be attributed to the skyrocketing instances of ransomware and the bold new methods of criminals using this attack”.
Banks in particular seem to be taking the cyber threat seriously. In a 2018 Risk Survey sponsored by Praxity participant firm Moss Adams in the US reveals that 84 per cent of executives and directors of US banks with above $250 million in assets regard cybersecurity as a top risk concern. For the fiscal year 2018, these banks budgeted an average of $200,000 on cybersecurity expenses, including personnel and technology.
Cyber threats to all businesses
The question for most is how to minimise the cyber threat, and more importantly, how to do it when resources are already stretched? The cyber challenge is particularly tough for small and mid-sized businesses without the money of multinationals but just as vulnerable to attack, according to the new 360° Cyber Risk Survey report by US accounting firm Aronson, a participant in Praxity Global Alliance.
The report makes clear that “as larger companies continue to make massive investments in increasing their cybersecurity measures, middle-market and small businesses are becoming a greater focus for cyber criminals. Many middle-market organizations lack the budget, resources, processes, and technology to effectively defend against a harmful breach. Considering the gravity of potential breaches, middle-market organizations need to do more to confront and mitigate cyber risk – before they face financial losses and reputational damage.”
Aronson Partner Payal Vadhani, co-author of the survey report and head of the Cybersecurity, Risk and Compliance practice, says small and mid-sized businesses are especially vulnerable as they don’t have many of the security measures found in large companies. She explains: “They have to worry about perpetrators breaching their network through network devices or back doors, as well as employees knowingly or unknowingly handing out information to the attackers”.
The Aronson expert acknowledges that risk is being treated more seriously by smaller companies, but she suggests it is not being addressed in the right way.
“The nature of the issues facing different sized companies in various markets are very different. Cybersecurity is not ‘one size fits all’. It all depends on the company and its industry. What I see in the mid-market sector is that companies know about cyber risk. They are thinking about it but are really struggling to find the budget for delivering security measures. There is IT spend to keep the lights on but not much on protecting data and the particular requirements of the market they are in. Most of our clients in the Washington, DC area are in government contracting services, healthcare and finance, and they have specific issues that they have to address.”
Risks of the cloud
One growing area of concern facing mid-sized companies in particular is the potential for cyber attacks on cloud-based services. The Aronson report reveals nearly half of IT, accounting, finance, and HR processes are managed on the cloud but transferring various controls and responsibilities to a cloud service provider does not transfer all risks.
The report calls on companies to establish a vendor risk management programme to properly vet providers, require minimum security controls (where applicable), monitor compliance with contract agreements, and determine residual risks and controls within the purview of the organization. This programme should feed into the overall IT and enterprise risk management programmes.
Multinationals open to attack
Despite generally having more money to throw at cybersecurity, global businesses are frequently victims of damaging cyber attacks. The reason, Payal Vadhani says, is they are not addressing all the risks they are exposed to.
“They have spent millions of dollars on defence in depth but they are finding out it is not as watertight as they would like it to be. There are lots of different reasons for this. It could be a range of issues from the availability of services and information for companies such as internet service providers, Twitter and Netflix, or ransomware or data breach for other companies. These issues are connected to a myriad of different things such as personal devices, cloud services, ageing infrastructure, and humans, who represent the weakest link.”
Simple oversights can make a business highly vulnerable to attack. The Aronson cybersecurity expert adds: “I know of some cases where administrator IDs are in a publicly accessible file which are in plain text and not encrypted”.
Minimising the risk
Amazingly, the OTA calculates 93 percent of all breaches in 2017 could easily have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.
It comes as no surprise, therefore, that the Aronson survey report reveals alarming gaps in the way cyber risks are managed. Just over half of mid-sized business respondents said policies to protect sensitive information were not implemented while 36% said their organisation did not conduct security awareness training.
Payal Vadhani says organisations should, at the very least, put in place an incident response plan on the steps they need to take to contain and recover from cyber incidents, backed by cyber insurance policies and awareness training.
Failing to address cyber risk doesn’t only increase an enterprise’s vulnerability to attack, it could also land an organisation in hot water in terms of compliance. The General Data Protection Regulations (GDPR), which come into force in May 2018 in the EU, could result in a fine of up to 4% of global turnover or €20 million, if breached.
The EU regulations place important new obligations on any business that handles the data of individuals living in the EU, independent of where the business is located. This is another aspect of security awareness training that should be considered by organisations offering goods or services to, or monitoring the behaviour of, EU data subjects.
To overcome these cyber challenges, Aronson says cyber risks must be addressed holistically. Its report states: “Risk mitigation strategies must be devised, which demand stakeholder engagement from the board-level down to frontline staff members. A multi-pronged approach that leverages technology, education, and cyber insurance should be contemplated to achieve cybersecurity programme resiliency and effectively combat cyber threats.”
Payal Vadhani suggests: “A customized cybersecurity program based on industry type, business needs, regulatory requirements, and specific business and cyber risks is worth exploring as data is becoming the new currency”.
Managing cyber risk is no easy task, and is constantly evolving, but a clear strategy rolled-out across every department, coupled with awareness training for every single employee, would go a long way to addressing vulnerabilities.
How to develop a cybersecurity plan
Payal Vadhani, Partner, Cybersecurity, Risk and Compliance practice at Aronson, has created an 11-point plan to help mid-sized businesses develop a cybersecurity strategy.
1. Understand your risks and threats landscape.
2. Assess, classify, and build extra protection around critical data.
3. Update policies, processes, and procedures to address point-in-time and forward-looking risks and embed cybersecurity culture.
4. Have contingency and incident response plans in place that include law enforcement, forensics (digital, human, and physical), client, investor, legal, media, and others.
5. Assess your cyber insurance coverage.
6. Conduct security awareness and training on a regular frequency (once a quarter).
7. Get up-to-date on patches and subscribe to security advisory mailing lists.
8. Manage vendor security through policies and processes.
9. Conduct penetration tests and vulnerability scans (internal and external) on a reasonable frequency. Remediate highest risk areas.
10. Set up an Insider Threat program, even bare bones will do as a starting place.
11. Implement technologies that complement your processes.
Doing nothing isn’t an option, she says. “Cybersecurity is a journey, and not a destination. It’s important to start taking baby steps in the right direction. With focused and concentrated efforts, companies can improve their cybersecurity posture over a period of time.”
This article was written for Praxity, the world’s largest alliance of independent accounting and consulting firms.