Cyber security has been thrown into the limelight this week with allegations that the North Korean government is responsible for hacking into Sony Pictures’ systems and leaking four films at a cost to the studio production company of tens of millions of pounds.
This follows another attack earlier this year when members of China’s People’s Liberation Army were charged with hacking companies in America for trade secrets. This latest incident, once again, begs the question: are organizations doing enough to protect themselves from a cyber attack?
The type of corporate information cyber attackers have access to is pure gold: information on pricing structures, strategic bids, client lists - the possibilities are endless. For example, details of half and end of year results could allow attackers to get ahead of the market and make substantial profits if obtaining them before release to the market.
Information on possible mergers and acquisitions could give a third party an advantage or, again, allow an attacker to pre-empt the market. But let’s be clear, the senior management of a company may not be the first target; an attacker may gain access to sensitive information via another member of staff.
The impact of a successful attack is also very clear: financial loss, regulatory and or legal sanctions and fines plus brand and reputation damage which increasingly appears on balance sheets. Furthermore, once a reputation is lost or damaged it can very difficult and expensive to restore. So what can businesses do to avoid such attacks in the first place?
Despite what you might think, the solution is not simply technical, with the IT department introducing controls to prevent and detect repeat attacks. This only partially addresses the problem. In order to help reduce the risk of such an event happening companies need to consider the role of their staff in preventing, detecting, and responding to cyber-attacks. Many attacks rely on a member of staff to click on a link in an email, to provide what appears to be an innocent piece of information about the company, or even to provide the attacker with a username and password. Sounds silly, but it happens and there is plenty of evidence to suggest that over 50% of attacks are the result of a member of staff having a momentary lapse of concentration.
Therefore we must seek to make all staff, from the CEO down to the receptionist, aware of the cyber threats they face. This needs the latest immersive, “learning by doing” techniques, that don’t confuse by using technical jargon and which provide the information they need about how to prevent, detect and respond to a suspected cyber-attack.
Successful advertising campaigns are effective because their messages are simple, memorable, repeated and engaging. In short, we need to move away from the old, compliance-led approach to cyber awareness learning.
AXELOS has just released a free-to-download white paper on Cyber resilience:
Cyber Resilience: Bridging the Business and Technology Divide >