What will it take for the C-suite to care about cyber-threats?
What will it take for the C-suite to care about cyber-threats?
While cyber-attacks are on the rise, the C-suite remains seemingly unshaken - it's time to get proactive in tackling cyber-crime at board level. 

Many CEOs, CTOs and CIOs may sit around their boardroom tables, confident in the assumption that they have the best technological solution to secure their data while also keeping services running and server lights on. But one area of cyber-security that is often neglected by companies is the financial impact outside of infrastructure spending or the resulting losses in profit. 

It's no surprise to find that [London newspaper] City AM has highlighted this glaring omission, pointing out only a third of British businesses have a financial plan in place in case of a cyber-attack. Research from Lloyds Bank reveals only half of companies contemplate the risks of a cyber-attack at board level; a worrying sign that the simple dots are not being joined.

Preparation for a potentially devastating cyber-threat is not purely about signing off budget lines for physical hardware and software protections; further lines must be added for the financial consequences such as paying a ransom while keeping the business going.  

On the former, the survey suggests one third of companies would pay such a demand to unlock their systems. But aren't you just opening the door to even more attacks in doing so? Even if you were willing to stump up the money, how much would you be prepared to pay and has this amount been insured for? Only a quarter of those surveyed by Lloyds Bank had policies covering such scenarios. 

Though the problem remains that these ‘cyber-insurance' policies simply don't cover everything – how could they when the threat landscape changes daily and it is an immature market for insurers? And when hackers have locked your systems and threatened to delete data if you don't hand over money, the decision on whether to pay or not can be a tough call; risking huge reputational and day-to-day damage, even putting lives at risk in some cases. 

You only have to look at last year's NHS cyber-attack and the recent attack on the city of Atlanta's servers to imagine the fallout and destruction that could ensue. Of course, the best form of defence is a proactive defence, especially when cyber-attacks are getting far smarter at outwitting the checks and balances many currently have in place.

The biggest source of infiltration by criminal malware is email, and all it takes is one member of staff to click on a seemingly innocent attachment in an email that appears to have been sent from a known email contact. In fact, 74 percent of all successful malware and ransomware attacks find their way on to IT systems and to sensitive data through email attachments. Being that email is the lifeblood of organisations, it can't simply be switched off to safeguard the business from attacks.

This does not mean your current security technology is entirely useless, but it does mean you must continually analyse its ability to protect you and ensure every border is protected. We're still witnessing companies applying a one-size-fits-all approach to cyber security, as if it's simply another tick-in-the-box exercise. This is a grave mistake. Every border needs innovative technology in place to keep threats at bay because the traditional anti-virus methods cannot keep up with the dynamic threat landscape that we see today.

But how often would a company run education sessions for employees to ensure they know what they should click and what they shouldn't? The old adage of ‘if it looks too good to be true, it probably is' still has value, but cyber-attacks are becoming even more sophisticated and clever at disguising themselves in realistic-looking documents and links.
 
Alongside this, it is reported that only one in 10 cyber-crime cases are actually investigated by police; leaving the door wide open for the problem to grow out of hand in the coming years, with crooks knowing they are likely to get away with it if they just try their luck. The power is firmly in the hands of the cyber-criminal.

The advent of GDPR regulation, coming into effect in May, also raises fears. It means enterprises face much larger financial penalties should they suffer a data breach. The recent compromising of 150 million MyFitnessPal accounts is just another example in a long line of such attacks, which are increasingly becoming everyday news. 

It's disconcerting to learn that just half of companies are discussing these issues at the most senior levels. The problem must be taken seriously rather than parked as something that ‘won't ever happen to us'. Then it must be tackled head on – proactively rather than reactively. 

Unless you are thinking proactively and embracing innovation to regularly close down attack vectors, you'll forever be on the backfoot with potential fixes and patches, watching helplessly as cyber-criminals race ahead with new and successful attempts to bypass them. 

Contributed Greg Sim, CEO, Glasswall Solutions

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.