Cyber attacks are becoming more commonplace, and companies can no longer bury their heads in the sand, hoping no one breaches their internal IT security in today’s digital global workplace. Therefore, I’ve asked Simon Jobson, a technology leader with 25 years’ experience managing digital transformations in complex, international listed and private companies, to discuss cyber security essentials for boards and senior management.
I have had many conversations with board members and senior executives on the subject of information security (or cyber security). One of the more common sentiments I have come across is the view that “if someone wants to get in they will” or “they are probably already in anyway”. It’s understandable that high-profile attacks can make us feel helpless. However, the reality is that regulators, investors and customers will pass judgement, and if senior management and boards are lax then the company will suffer.
Targeted vs opportunistic cyber attacks
If someone has the incentive and the resources it can be hard to stop them hacking in, but this type of targeted attack is reserved for the select few. Also known as an advanced persistent threat (APT), this is usually in the realm of nation states or other high-profile organisations. These attacks will be perpetrated by skilled hackers and will involve a significant amount of research and planning. They will use secret vulnerabilities, known as ‘zero-day exploits’ to release malware before it can be detected. These targeted attacks are expensive to conduct and when discovered generate sensational news stories, such as the attack on the NSA in the USA.
However, for the rest of us including most commercial enterprises, we are far more likely to fall victim to a simpler, more opportunist attack. These can be equally devastating in their impact, but the good news is preventing them is quite feasible with good practice and management prioritisation.
For the criminals perpetrating these types of attacks, it’s a numbers game. They want to spend as little as possible, for maximum return. This frequently involves the distribution of malware to unsuspecting targets via email or websites, exploiting vulnerabilities in the public domain. This malware will exploit vulnerabilities on the host computer to take control - at which point the attackers have won.
How to prevent or minimise an attack
System vendors will typically have updates, or ‘patches’, available to block any attacks. Ensuring all your systems’ patches are up to date will drastically reduce your chances of being hacked. But is it really that simple?
Well yes and no. Depending on the size of your company, the numbers of patches on one system could run into the hundreds per year, across hundreds or thousands of devices. Often these patches need testing to ensure compatibility with older systems, such as an old accounting programme.
Frequently, other business priorities exist for your IT teams and subsequently patching drops further down the priority list, getting delayed and backlogged. The task of catching up, then, becomes ever more daunting. It’s not uncommon for a company to be 6-24 months behind with patching and this is what the attackers are hoping for.
The recent ransom-ware that hit the NHS is a prime example. The attack exploited a vulnerability that was fixed by a patch two months prior. Yet many systems were as much as two years out of date.
In the case of a targeted or advanced (APT) attack using secret vulnerabilities a board could reasonably claim it was beyond the company’s ability to prevent it. However, for an opportunist attack, using a vulnerability in the public domain for six months is likely to be seen as a management failure – meaning the board is culpable.
To bring a more rounded approach to cyber security and further improve your chances of resisting attack, a board needs to be able to probe the areas of: organisation (e.g. delegation and reporting), processes (e.g. backups and policies), people (e.g. staff training and awareness) and technology.
However, the bottom line is that most attacks are opportunistic and preventing them is generally within management and board control, providing the right questions are asked and the right priorities set.
But who is responsible for ensuring the right cyber priorities are set? Who should be driving the company’s internal IT security processes before it is too late? Furthermore, what questions should be asked in order to set the right priorities? Too often management think the IT function have it under control, but no one has told IT what is expected of them.
To answer all these questions, BIE will be running an event for executive leaders with Simon later in the year, where he will be discussing what questions you should be asking that enable you to effectively audit your company’s cyber security.
If you are a senior business leader who would be interested in finding out more information about this event, please enter your details into the form below, and we will contact you once the event details are released.