Richard Knowlton, ex group corporate security director at Vodafone, spoke today at IP Expo about protecting enterprise security, noting that according to a recent report by Allianz, UK businesses lose approximately £2.8 billion a year to cyber-crimes, and that only accounts for the figures which are actually reported. Fewer than one in 100 crimes are actually investigated by the police, and as a result, being a cyber-criminal has become a very lucrative business with low overheads and has no required location.
Knowlton went on to say that only 10 percent of UK businesses have a cyber-security policy to protect their business from IoT threats, and as a result, in 2014 there were over 70 million sets of compromised data. And the threat will only get worse. Gartner, the technology research firm, predicted the IoT growing from 4.9 billion devices to 25 billion by 2020. Yay for tweeting fridges!
This can only mean one thing, business are opening themselves up to huge financial loss, business interruption and the loss of IP rights, depending on what is stolen during the breach.
So what can businesses do to fight the ever growing threat of cyber-crime?
Knowlton's first point was adopting company-wide corporate responsibility, declaring that everyone from the board of directors right down to the mail room attendants need to be responsible to effectively fight cyber-crime. This way, they can effectively assess the risks and processes, and then mitigate risks using cyber-risk management tools. Interestingly, he mentioned that most boards would class a cyber-breach a time to buy more tech. But new tech might not help against company employees writing down passwords on post-it notes.
And this brought him nicely in the second step - to survive in 2016 and beyond, corporations must implement a culture of security and training and even go as far as running security awareness programmes. Reminding delegates that while most would only consider hostile governments, organised crime and terrorists as a credible security threats, employees are unfortunately a weak spot in a companies defences as well. It doesn't even have to mean things like storing financial details in an unencrypted form, but small things like writing passwords down and not adhering to company data protection policies are also important.
Finally he spoke of corporations having a Business Continuity and Crisis Management policy. As the threat is so high, companies must behave as if a breach is inevitable, and the policy should involve everyone. For business continuity purposes a corporation must act quickly, assess the damage and impact area, looking at the scale of the attack and then formulating a strong plan, telling customers and dealing with re-gaining their trust.
"Cyber threats must be dealt with holistically" Knowlton concludes.