Over the last year we have seen a rise in high profile cyber-attacks with WannaCry and not-petya causing an immense amount of disruption to companies, government departments and the NHS. When the WannaCry attack hit the headlines in May it affected 230,000 computers across 150 countries and had an economic cost of more than £3 billion. The costs of not-Petya is still being counted although one consumer products company has already estimated the cost to them as £110 million in lost revenue with many others across the globe affected.
These attacks are both ransomware, a type of attack where the perpetrator threatens to publish a victim's data or permanently block access to it and is now seen as the largest threat to a business. Worryingly the Russian Ministry of Communications reported that up to 40 percent of stolen funds are subsequently invested into the improvement and modernisation of malware technology, phishing techniques and fraudulent on-line schemes.
Companies are therefore taking steps to prevent against these types of attacks. However, with the average investment for a company in cyber-security being 0.5 percent, we may not see this problem go away for a while yet.
All is not lost however. Both of the attacks exploited vulnerabilities in out-of-date operating systems which wouldn't have been vulnerable if patched. Security patches for supported operating systems is usually free, so there is little budgetary demand for this which means the finance hurdle is partly crossed. There will be a resource demand on the IT team responsible for patching an entire IT estate, which may be further complicated by the end user who is keen to get on with the day job and not have the distraction of worrying about the tech that supports it. This means the patching problem is largely about people and process.
To effectively combat these types of attacks we need to look at a cultural change within the company and shunt Cyber Security higher up the agenda. A great start could be to adopt the ISO/IEC 27001 Information Security Management standard which ensures management buy in, has a set of technical controls that must be followed and ensures people have a level of awareness of security in the company. For smaller companies, there's the Cyber Essentials scheme which focuses on the technical vulnerabilities and provides a check to ensure that controls are in place, one of the areas being patch management. By adopting this scheme smaller companies are committing to a Cyber Security programme which again shows management buy in.
The company employees as always are key; from a recent review conducted it was found that 90 percent of all malware requires human interaction to infect its target machine. This means one of the areas we must look at is user awareness. Having an effective awareness programme in place so that employees are sufficiently briefed and know what to look for will not only help in preventing an attack taking place, but will also aid in changing the culture of the business to bring cyber-security higher up the agenda. Awareness can be provided in several different ways, including internal training by the security department, onsite training by external sources or there's also some great online courses.
In addition to the steps that we take in preventing a cyber-attack we also have to recognise that we may one day leave one of the windows open and an attack may occur. For this we need a cyber-incident response plan which gives a clear set of instructions along with roles and responsibilities of what should be done if an incident occurs. We also need to make sure we rehearse the plan and update it to ensure it remains fit for purpose.
So, in summary, whilst we're going to see more cyber-attacks in the future there are steps we can take to aid prevention. Firstly, cyber-security should not just be an IT problem and should be up higher up the company's agenda. We should look at adopting a standard that ensures that cyber-security is being constantly considered, monitored and action being taken to prevent vulnerabilities. We should also be looking at increasing awareness within the company using onsite or online courses, and lastly, we have to consider the possibility that an attack may be successful and put a plan in place to deal with the event.
Contributed by Tim Schraider, director, CS Risk Management
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.