When a business falls victim to a cyber attack, there can be enormous financial repercussions, as well as legal and reputational costs.
Australia is a popular target for cyber criminals thanks to our relative wealth, high levels of online traffic and early technology adoption. In 2014, 693,053 Australian organisations experienced a cyber attack, costing millions and driving thousands of businesses into the ground.
In fact, 60 percent of hacked SMEs are forced out of business within six months of an attack, one major study found.
According to PWC, cybercrime has moved from being statistically insignificant over the past six years to the number one economic crime in Australia.
The most worrying thing? The simple method of delivery.
The issue is so big that Prime Minister Malcolm Turnbull is giving it his full attention: he was in Washington recently for the first Australia-US Cyber Security Dialogue.
He told the forum Asia-Pacific was the region most heavily affected by cybercrime — losing one third more business revenue to cyber attacks than either the EU or North America.
“The cost impact of cyber-attacks on companies is complex, and not limited to just a loss of shareholder value although this can be as we’ve seen significant,” Turnbull said.
He said governments, industry and academia needed to work together to tackle the cybersecurity challenge.
Danger is all around
The problem with cyber hacks is the method of delivery. Today, any email, sent any time, to any employee, has the ability to cripple a network.
Two out of every three emails circulating the globe are thought to be malicious, and a study has shown 97 percent of people can’t identify a phishing email.
And Australians are highly susceptible to being duped: we rank third in the world for countries with the most number of users who clicked on malicious URLs in 2015.
No matter how big or small your company is, risk mitigation is vital – and protecting against cyber threats is no different. Cyber criminals don’t discriminate, which means businesses of all sizes need a cybersecurity plan.
But what exactly does this mean? Here are five key elements that need to be considered:
Is your organisation located in one place or various locations? What does the management structure look like? How are your staff trained? These all play a role in how to respond in a crisis.
Regardless of the size of a business, every employee plays a key role in cybersecurity. A well-defined process in the event of a cyber emergency is vital for protecting your company against attack. Ensure that your team are clear on their roles and responsibilities.
Policy development and review
Security policies must be relevant, thorough and understood by all. If you don’t have a policy in place for bring your own device (BYOD), but your staff regularly access work email on their personal smartphones – or access personal email on corporate assets – you’re leaving your company exposed.
Strong oversight plays an important role in your ability to adapt to current and future challenges. The best cybersecurity frameworks are reviewed regularly and comprise regular audits of security policies, the implementation of technical controls and regular employee education. They should also include a plan for the future, focusing on deterring emerging threats and changes in the technological landscape.
“Defense in depth” means you don’t rely on any single solution to protect your business against potential threats. A good strategy adopts a multi-layered approach.
Do you have a network of IT and security professionals internally and externally to advise your business on the best tools and training to protect your business against potential threats?
Are you regularly backing up business-critical data?
You can’t protect what you don’t know you have. This makes asset classification vital. Identify and rate your key assets including intellectual property/competitive advantage, financial data and customer details.
Which software or appliances have you deployed, and do they protect you against all threats? For example, antivirus software can protect your business from known viruses and is important if a staff member introduces a threat on a USB stick, but it won’t protect against new and emerging threats via email or web, so you should deploy an email and web filtering solution as well.
In the same way, an email solution such as Office 365 or Google may have some spam filtering capabilities, but they won’t stop malicious and advanced threats, so they should be coupled with an advanced email filtering solution.
Staff are your number one asset, but uninformed, they also pose your biggest risk. Ensuring they can recognise potential threats, such as socially-engineered emails, can protect your business against an attack. Regular training about the risks of spear phishing and opening untrustworthy documents is integral. Vigilance is key.
Rapid response procedure
It’s one thing to get everyone in a room and train them about the telltale signs, but cybercriminal networks are fluid, changing their patterns and tactics regularly to break through defences and wreak havoc.
The most cyber-secure companies have a tested process outlining how to respond to incidents of any size – including those which might threaten the survival of the business.
Cybercriminals are getting smarter and their attacks more aggressive and targeted. Are you adapting just as quickly in order to survive?