Andrew Watson, Chief Technology Officer at MHR International, explains how businesses can ensure a stronger cyber strategy.
Reports into cyber security this year continue to highlight how businesses everywhere face significant external and internal threats, even if the scale and tactics fluctuate. The UK government’s Cyber Breaches Survey, for example, found fewer businesses reporting attacks or breaches in the last 12 months (39%) than in the previous year (46%). But this was up from 32% in 2019.
Phishing attacks remain a favourite tactic. Among companies that know they were attacked over the last 12 months, more than eight-in-ten (83%) were targeted in this way, rising to 91% among large firms. The next most common type of attack was impersonation, usually in emails – experienced by 63% of large firms. These larger businesses are also more likely to report unauthorised use of computers or networks by employees (15% compared with two per cent overall).
Globally, this year’s Verizon Data Breach Investigations Report, examining 29,000 incidents, found that, although denial of service and web application attacks were most common, when it comes to breaches in which data was compromised or stolen, social engineering, which uses available or stolen details about members of staff and an organisation’s work practices, was the most effective tactic.
The costs cyber-criminals inflict on businesses
Estimates of the costs inflicted by breaches vary hugely. This year’s respected IBM Cost of a Data Breach Report estimates the average cost of a breach at $4.24 million, whereas the UK Cyber Breaches Survey estimates the impact as being in the tens of thousands of pounds. The costs cover everything from forensic consultancy to remediation, stakeholder communications, legal advice, and new technology.
Damage from insider threats
All data requires a high level of protection, however, and internal threats should be taken just as seriously as external threats. Breaches of data caused by negligent or malicious employees continue to be a major problem, a study by Bitglass shows 61% of organisations reported at least one insider attack over the last 12 months. The damage caused by insider data breaches is both financial and reputational, leading to loss of confidence among customers and suppliers.
The aforementioned Verizon report examined 222 breaches caused by insiders abusing their privileges and found financial gain was the motive in 64% of cases and that grudges motivated 14%. In 64% of these attacks, it was personal data that malicious insiders compromised. As the report points out, these internal attacks are difficult to detect and although not as common as phishing or business email compromise, are potentially very damaging.
Within their systems, organisations have employees’ personal information. An employee whose data is compromised may have grounds to claim compensation for distress and financial loss. A 5,000-strong group of employees from the Morrisons supermarket chain in the UK brought a case against their employer, for example, claiming it was liable for a breach of their personal data. They were among 100,000 employees of the company whose details were dumped on a public file-sharing site by a disgruntled IT employee in 2013. Although the UK Supreme Court finally ruled last year that supermarket firm Morrisons was not vicariously liable for the breach, organisations need to remain vigilant to avoid such time-consuming and costly legal battles.
Organisations need a multi-faceted, more innovative approach to security
There is, however, plenty that organisations can and should do to shut down opportunities for cyber-criminals or insiders to ransom, steal or destroy data – especially HR data. Encryption, multi-factor authentication and behavioural analytics all offer significant protection and mitigation in the face of constant threats.
Businesses should move to a zero-trust security model, understanding it is impossible to prevent malicious activity entirely. Access to data should be based on what people need to do their jobs and no more, with requests treated as if coming from outside the system or network.
Behavioural analytics are highly effective and make financial sense
Advances in AI provide another important layer of security, using analytics to spot unusual behaviour in a system and shut down unauthorised activity. This makes a significant difference. This year’s IBM Data Breach report calculates the cost of a breach in organisations with security AI and automation were 80% lower than those without such technology ($2.9million compared with $6.7 million on average).
By implementing such technology in an HR and payroll context, it is possible to assign a risk score to each employee, determining their level of access. AI technology can monitor activity and alert security managers when an employee appears to behave outside their usual profile or privileges.
Employee training too will help reduce mistakes leading to data exposure, but it can only go so far. All organisations must think about cyber-security in the round and consider internal threats as well as those emanating from organised criminal groups and hacking gangs. Encryption, multi-factor authentication and especially, behavioural analytics, should all be on the agenda. Although the threats change from year-to-year and business to business and no single solution will remove every vulnerability, organisations must approach security holistically, deploying more advanced technologies against internal and external threats.