Cyber security: protecting your business and your clients
|Paul Young||Director of Cyber Security, Deloitte Consulting|
|Simon Shorey||Head of Online Channels, Lloyds Bank Commercial Banking|
There’s no doubt that the digital revolution is driving business innovation and growth. As well as driving down costs, technological innovations are presenting businesses with other opportunities, such as increasing integration and driving efficiencies. However, alongside these opportunities, technology is exposing corporates and their customers to new and emerging threats. Businesses are increasingly exposed to cyber attacks, which can result in damage to their reputation and brand, as well as financial loss and customer attrition.
From script-kiddies to hacktivists
There’s a clear need for businesses to protect themselves and their customers – but taking action is not necessarily straightforward. For one thing, not all cyber-criminals are alike. Perpetrators range from young ‘script-kiddies’, who embark on cybercrime for fun before focusing on financial gain, to organised networks of criminals. Other types of attacker include politically motivated hacktivists engaging in disruptive attacks at individual or group level, and sophisticated nation states and spies armed with significant funding and highly sophisticated monitoring and attack methods. At the same time, cyber attacks tend to include different stages of activity, which can make it difficult to identify threats early. Attacks can remain undetected for large periods of time while infiltrators assess the information they are able to gather, before conducting the more noisy and detectable process of asset capture.
The treasury threat
Anyone in a company can fall victim to a cyber attack – but access to sensitive financial information and systems makes treasurers a particularly attractive target. As such, they should be fully versed in the company’s risk management strategy. Treasurers should first and foremost be aware of the latest risks and understand the very high likelihood that the company will be the target of a cyber attack at some point – at some level, it’s almost inevitable. And the risk of actual breaches is high. A 2014 survey commissioned by the Department for Business, Innovation and Skills showed that 81% of large organisations had experienced a security breach over the previous year, with the average cost of their worst breach at £600,000-£1.15m.
In order to prepare for an attack, treasurers should also take action to reduce the net impact of any breach and minimise the time taken to recover. To establish current levels of resilience, they should ask themselves the following questions:
- Does my organisation know exactly what information is most valuable/most attractive to criminals?
- Do I have a clear procedure to follow in case of a suspicious action or event?
- Do I know who is monitoring security within the company? Do they have the appropriate skillset and provide sufficient information about current threats?
- What’s the worst possible outcome if my organisation was victim to an attack?
- Is staff cyber-security awareness and training being taken seriously?
Cyber security is an evolving process. As hackers become more sophisticated and organised, it is important for businesses to constantly evolve and review their protocols. Prevention is better than cure – but a company cannot completely remove the risk that a breach will take place.
As such, it’s important to respond quickly when an attack does occur. A best-in-class cyber-security response would minimise the chances of defences being breached and in case they are, detect infiltration within minutes, with the organisation immediately alerted. By identifying attacks so quickly, the company may be able to contain the breach, pass the details over to law enforcement officers and closely manage media coverage, enabling the business to continue to prosper. If, on the other hand, the breach is not detected and the unauthorised data transmission continues unchecked for several days, the impact of the breach is likely to be much more severe and could domino in either direction along the supply chain.
Sensitive data may be irrecoverable, while rumours percolating on social media may result in adverse media coverage that cannot be controlled. The result: serious damage to the company’s reputation.
A company-wide concern
As they work to protect themselves and their customers, companies are ramping up security across their infrastructure and applications and are managing access to company systems more closely. But cybercrime is not just an IT issue: the risk touches people at all levels of the organisation. As well as increasing security, companies are also putting in place comprehensive company-wide plans.
With recognition of this issue growing at board level, cyber-risk governance has become a top-down priority. Companies are addressing staff behaviour by increasing awareness of the relevant threats and educating employees about the company’s security culture. In order to gauge their level of preparation, some companies are also using ethical hackers to test their systems and draw up a defence strategy to cover any scenario. By running attack simulations and incident response exercises, companies can dramatically improve their chances of resisting an attack.
In conclusion, the difference between succumbing to a cyber attack and thwarting it is preparation. By putting in place comprehensive measures to protect themselves, companies should aim to react to a threat within minutes rather than days. Companies should also remember that cyber criminals are becoming more sophisticated every day – so whatever strategy the company has in place should evolve in line with the associated threats.
By running attack simulations and incident response exercises, companies can dramatically improve their chances of resisting an attack.
Lloyds Bank plc. Registered office: 25 Gresham Street, London, EC2V 7HN. Registered in England and Wales, no. 2065. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. We subscribe to the Lending Code; copies of the Code can be obtained at www.lendingstandardsboard.org.uk