Do you know what you don’t know? It’s not a tongue twister but an important question that all organisations must ask themselves when thinking about the risk that cyber crime presents to their business.
The European Commission has announced that tough penalties will be levied on businesses that do not abide by security policies. From March under the E-Privacy Directive telecoms companies must publicise data breaches – resulting in widespread concerns about the damaging effects that breach notification could have on business and brand.
I chaired a webinar for ITogether on this very subject this week, with the discussion led by Cisco’s Senior Security Advisor, Paul King. Paul was joined by Morgan Lloyd, head of Cisco’s security intelligence operations for the public sector, and Martin O’Toole, MD and Co-founder of brand design agency, McGrath O’Toole.
The webinar began with Paul King asking some tough questions. “Do you know what risks you are taking and are you happy with the level of risk?” This wasn’t scaremongering. Most organisations aren’t aware that their businesses face security risks, often because they haven’t looked, haven’t noticed, don’t think anyone would want to attack them, or confidence that their network is secured. Paul’s point was that, without understanding the risk, you can’t make an assessment about the threat.
Twenty years ago, if you wanted to access a businesses network, you would have to request permission from the owner. Today it’s more complicated than that. Businesses have two choices – they can; A) Lock, block, ban and stop or B) acknowledge the businesses benefits of global connectivity and enable their organisation to embrace the new opportunities it presents, whilst ensuing operations run securely.
Then you need to ask yourself what you are trying to protect? The answer to this question is crucial to ensuring that you are investing in the right preventative measures. Paul advised on starting by considering the biggest possible impact on your company, and the potential causes. This should reveal what your vital assets are. For example, if your company is about to file its annual financial figures, the impact of an attack could compromise confidentiality and integrity of data, so your financial system may be number one on your list of assets to protect.
Paul shared Cisco as an example of a business embracing 21st century next generation working practices. The global teams all use iphones, ipads and laptops to help them work more efficiently and affectivity but they know and except the risks and mitigate and manage them. Of course you would expect the world’s largest networking company to be leading the way and it is no surprise that Cisco security teams embrace their role as a enablers of secure use of the latest technology, but it is an example that all organisations can learn from.
Paul concluded his part of the discussion by asking the audience, “Who owns the security policy in their company?” Cisco’s CEO John Chambers says that users are a company’s greatest asset and that it is all down to the individuals. Certainly, by sharing best practice and explaining security risks to your workforce including what needs to be done to keep the business safe, you’ll find that they take individual responsibility for their actions and are much more proactive.
Morgan Lloyd, head of Cisco’s security intelligence operations bought a new dimension to the discussion by providing some real time examples of the latest Cisco tools being used worldwide to safeguard businesses, by identifying and preventing attacks. He reported that one of the most common attacks targeted at businesses are phishing emails containing a malicious link which can be sent through traditional email as well as social platforms such as LinkedIn and Facebook. Most anti-spam devices won’t recognise these attacks if they come from unrecognised IP addresses. Infected malware can then be installed onto the device, harvesting passwords and feeding back to the perpetrator. Attacks such as these can be easily prevented if you know the risks. Cisco’s intelligence monitors and detects hackers and issues instructions enabling businesses to react to a new risk, before it becomes a threat. Applications such as Cisco’s Scan Safe process over 20 billion web requests every day, a third of the world’s global messages.
The webinar concluded with Martin O’Toole from McGrath O’Toole talking about the impact of cyber crime on brand. He made a point that, in the current climate, is more pertinent than ever before. All businesses share one common objective – to improve bottom line and ultimately increase profitability. If brand value, the additional income a company can make from its products solely because of its brand name, is damaged, this will have a direct impact on a business’s overall profitability. Martin highlighted the example of RSA, part of the EMC Group, who experienced a 5 per cent drop in share price as a direct result of a targeted attack on the network of defence contractor Lockheed-Martin. He also referenced research sponsored by Experian which found that widely reported data breaches, with a loss of more than 100,000 confidential employee records, resulted in a 12 per cent decrease in brand value. Both examples helped to hammer home the message about the tangible impact of risk.
In summary, if you don’t know what your risks are, then a threat exists for your business. The motives are there – in almost all instances driven by financial gain, whether it’s customer credit card details, or valuable business data. The capability exists – there is no shortage of people that know how to execute targeted attacks, and the risk is heightened by current security models that are largely only minimally effective against cyber criminals. Security breaches not only compromise an organisations vital assets but fundamentally affect the trust that people instill in a business, significantly reducing the chance of new business, both now and in the future. No organisation is risk free, what is important is that threats are recognised and that the right processes are put in place to protect against potentially devastating consequences.
If you missed ITogether’s webinar you can listen on playback here: http://www.itogether.co.uk/2012/01/cisco-cyber-crime-webinar-playback-time/