Cyber-security has quickly soared to the top of every business' agenda this year; recent and devastating cyber attacks such as Petya and WannaCry prompted business and IT leaders to reconsider their approach to cyber-security.
High-profile cyber-attacks are nothing new of course and yet, far too often, businesses address security vulnerabilities only after being compromised by a cyber-attack. As the world becomes increasingly digital and business operations move online, cyber threats will only become more prevalent.
Last year in the UK, more than 46 percent of businesses suffered from a cyber-attack or breach of their computer systems, compared with just 24 percent in 2015 – almost double.
Cyber-attacks are estimated to have cost UK businesses as much as £30 billion in 2016, according to research from business ISP Beaming. This claim is further backed up by the National Crime Agency (NCA) Cyber Crime Assessment 2016 that estimates the cost of cyber-crime to the UK economy is “billions of pounds per annum – and growing”.
The problem is that while businesses and IT leaders are prioritising cyber-security investment, the investment in that security has always been responsive, rather than preventative.
The vulnerability which WannaCry exploited was initially discovered by the US National Security Agency (NSA) two months before the actual attack. The NSA discovered that there was a vulnerability within the Windows Server Message Block (SMB) protocol – and used this weakness to develop EternalBlue, an exploit for its own usage. However, rather than report the vulnerability to Microsoft, which would have allowed it to rectify the problem and prevent the damage that both WannaCry and Petya caused, the NSA remained silent.
Subsequently, as a result of complacency, the WannaCry worm spread rapidly – and if it was not for the IT security expert MalwareTech, then who knows how much damage it would have incurred?
Hackers are nothing new. They have been around for an entire century; with the first hack back in 1903 (if we're being historically accurate). So why, when it comes to cyber-security, are we responsive and not preventative?
Security experts have seen it all before, so what's the problem? When it comes to preventing a cyber-attack, what needs to be done?
Top tips to eliminate cyber-security complacency
- Train your employees
Employees consistently neglect software updates. Many routinely close software update windows or turn them off entirely. Therefore, there needs to be more education about the benefits of updating the business' digital infrastructure, as well as software, hardware and devices.
We have seen it all before; the vast majority of people just don't want to know. AV TEST, an independent IT security institute, registers over 390,000 new malicous programs every day – and yet people don't run security updates.
- Don't rest on your laurels
Most organisations don't have a sense of urgency about cyber-security. There is a great deal of investment in deploying the latest cyber security software – but what happens after? Cyber-security needs to be a continual process. Most businesses act like there is plenty of time to address these problems – there isn't.
- Spend your money wisely
The costs of cyber-security are increasing as a result of recent high profile cyber-attacks. However, make sure you're investing in the right areas eg cyber, physical, and people.
- Plan ahead
Data security experts often focus on the previous attack and how to stop it from happening again, rather than planning for future attacks. Security should, of course, be put in place to stop the same attack happening again, but make sure your data security expert or IT team tests against hypothetical scenarios to identify new threats.
- Educate your employees
It's that important it's worth including twice. More often than not, the weak link in most data security is the human operator – and a failure to provide enough education about security processes and procedures, leading to false assumptions about security. Employees assume that because their router has a firewall, the network is secure. However, when a machine identifies a problem – it's already too late.
Be proactive. Not reactive.
Contriubuted by Steve Inglessis, commercial director, DataRaze
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.