The invisible threads that hold our modern technological society also represent one of our key weaknesses. The web of IT networks, the proliferation of connected devices and our ever-growing reliance on mobile devices all combine to make a tempting and often easy-to-exploit target for cybercriminals.
We’re all vulnerable to malware, hacking (either by individuals, gangs or even-state sponsored attacks), denial of service attacks, or online fraud. The result can be catastrophic – just look at the string of high profile security breaches over the last few years. Every kind of business, from big banks to retailers to online dating sites, have been hit, ruining the victims’ hard-earned reputations almost overnight, and causing untold misery for those who have had their ID or financial details stolen.
In recent years a raft of legislation has been brought in to counteract the growing and evolving threats, from the EU General Data Protection Regulations (EU GDPR) to the payment card industry’s PCI DSS scheme. But sometimes the medicine can seem almost as bitter as the illness itself, with businesses struggling to protect their systems and achieve certification with complex national and international data security regulations.
With many businesses lacking the skills, the knowledge and the resources to make themselves both safe and compliant, how can they keep themselves and their customers safe – while enjoying the benefits of our interconnected world?
Business unprepared for today’s threats
Recent research by the UK government found an alarming lack of preparedness among some of the country’s biggest businesses. According to the board-level survey of FTSE 350 companies, less than a third said that they received “comprehensive” reports about cyber-crime, and even fewer said they were trained to deal with a security breach.
The picture is no better for smaller businesses. Almost half of SMEs lack a cybersecurity plan, while three quarters have not budgeted for the impact of an attack.
Unfortunately, every business is a potential target for cybercrime. These range from tried-and-tested tactics such as denial of service or phishing attacks, to new malware such as this year’s WannaCry virus or Mirai, which targets the connected devices that make up the Internet of Things. As these threats proliferate and become more sophisticated, businesses of all sizes are forced to set aside increasing amounts of time and budget to meeting them, leaving most in-house teams overstretched, underfunded and lacking critical expertise.
As if the threat level was not enough, the world faces a severe talent shortage in the skills needed to combat cybercrime. A report by Frost & Sullivan and (ISC)2 found that the global cybersecurity workforce faces a shortfall of more than 1.5 million roles by the end of the decade.
The “talent gap” means that every business is competing for a scarce resource, with the result that hard-pressed IT and security employees are stretched to their limits. Those that can’t hire sufficient security specialists are forced to train up junior employees, but this still leaves them lacking the knowledge to combat the more advanced threats and make the best use of security technologies.
The skills shortfall also has an important impact on businesses’ ability to prepare for and meet the strict criteria of regulations – such as the GDPR, which takes effect in only a few months.
Getting the right help
No business can completely protect itself from the most determined cyber attacker, yet it’s also true that the large majority of threats are opportunistic and exploit easy-to-fix vulnerabilities. Weak passwords are a perennial problem in every size of organisation, while so-called “advanced” threats like the Mirai virus took advantage of basic weaknesses in connected devices such as a failure to update factory-issued usernames and passwords.
The best response to today’s threats is for businesses to adopt robust information policies, combined with the latest security technologies, such as encryption. Yet without the skills to plan and implement these programmes (not to mention ensuring compliance with new regulations), organisations could be forgiven for wondering how they will approach such a difficult task.
First, businesses must make security an urgent priority. After all, the last few years has shown that no business is too big (or too small) to suffer a breach. They must then assess their potential vulnerabilities in the face of current threats, and stress-test their own security systems and policies.
But businesses must not feel that they have to do this on their own. They should enlist the help of their existing IT suppliers to obtain the right security tools, along with guidance that will help protect them from all but the most targeted and persistent threats – and to stay on the right side of the law.