CHES Special Risk Inc. explores the risks
How it plays out…
It’s morning, and a woman walks into your company’s head office. She tells the receptionist she’s the Real Estate Agent selling the building next door. She’s supposed to be showing around prospective Buyers. But in her rush from home, she forgot to bring the planning documents to show the Purchasers. She asks if she can quickly plug in her laptop, download the plans and print them off. The receptionist understands her predicament and agrees. Five minutes later the ‘Real Estate Agent’ has infected your computer systems with malware. And you know nothing about it. Sound far-fetched? Think again.
What this scenario clearly illustrates is that while a company can spend thousands of dollars on IT systems to safeguard its business, it can’t prevent employees undermining all that investment. Whether it’s by mistake, they’re under duress, or most commonly, through a simple lack of awareness.
Ignorance isn’t bliss
In fact, ignorance is one of the biggest threats to a company’s defenses against cybercrime. There’s a worrying perception, particularly among SMEs, that the cost of securing a business is not always equal to the risk of attack. This goes some way to explaining why so many companies are attracted by the IT vendors’ pitch of an automated solution – a one-stop shop for all their cyber security issues. This magical panacea does not exist. Yes, you need the robust technical defense, but you also need to invest time and effort to make sure your people aren’t going to subvert it by the most basic of errors. In this context, basic errors include clicking on a phishing email, weak passwords, and indiscreet conversations in the pub or on social media. All can open up a world of opportunity to the seasoned cyber criminal.
Being compliant doesn’t mean being secure
While tough to eradicate, companies can substantially reduce these errors by working towards being secure, rather than just being compliant with regulatory regimes. Instead of asking ‘have we ticked all the boxes?’, management should be aiming to embed a culture of security.
This has to come from the top of the organization – from the CEO and CIO – right down to the security guards and receptionists. You need a well- trained, well-aware workforce looked after by a management clearly interested in the issue.
Prioritize your vulnerabilities
One problem is that many companies think they have nothing of interest to hackers. This is a monumental misjudgment. SMEs – particularly suppliers – are often used as a back-door route into the more juicy prey of larger corporations. An example of this is Target Corp, where hackers stole 40 million credit card numbers. Security and compliance can be a major drain on cash and resources but it’s about priorities. Reduce the amount you’re trying to make secure, and spend more time making that secure. Client data, how you pay money, how money is moved around – this is information always worth defending.
Education, education, education
One of those priorities should be people and their education, but management often plump for the online compliance packages that keep employees at their desk while satisfying the regulators (box ticked). But imagine if you got your employees in a room and talked about information security for a day. It’s all about keeping the idea of security front of mind. There’s also more chance of it sinking in and reappearing later when they might really need it – like that receptionist. Training is often seen as dead money. But if you think compliance is expensive, try non-compliance. Research suggests that up to 80% of unprepared businesses that suffer a serious cyber- breach and have no decent crisis management plan in place go out of business within 18 months.
No one and no company can be 100% secure. If someone promises you that, show them the door! Building a resilient defense means having the right culture. One that comes from proactive engagement from the top of an organization with the right priorities and a well-crafted governance regime. Do that and you’ll have a much better chance of weathering a breach, and of course, Purchasing the correct coverage.