Tesco Bank and Three have both made the headlines in the past couple of weeks, as victims of a large cyber security attack. Law firms based in Ireland have seen increases in cyber attacks of up to 50% and there are significant warnings about the risk to healthcare providers. 5 Russian banks sustained an attack that last 2 days. A cyber attack managed to take down the internet for Liberia. Hackmageddon.com has a great timeline for cyber attacks globally per month, capturing those that do not make the mainstream press. Reading the list makes it clear that no organisation is immune and with GDPR only a couple of years away, we should all be very worried. Retailers in particular, should be concerned as we enter the busiest shopping period of the year.
What is concerning is that businesses do not seem to be catching on quickly enough with regard to the threat. The risks of a cyber attack are not just technical. The fine for TalkTalk was the least of their worries. They saw a loss of customers and a drop in their share price. Oracle have just announced that they will be purchasing Dyn, a web traffic management firm. This fits with their plans to scale their cloud offering and the deal was done before Dyn were the victims of a cyber attack which took thousands offline. Had the attack been at a different stage in the acquisition process, this may have affected the price agreed or may have even prevented the deal.
Our 2016 cyber security salary survey showed that improvements had been made, with more CISO’s reporting to the board than in previous years. However, it would seem there is still some way to go, for CISO’s to get true buy-in from board members. Recently, CISO’s have been talking to BeecherMadden about the challenge they have in securing funding for effective cyber security. Many are only able to gain adequate funding in response to a specific business issue, and this is promptly reduced again.
It may be, that effective security controls become a way for a company to increase their customer base. Those in cyber security jobs, should be thinking about how their company can promote good security controls to their customers, without accidentally making themselves a bigger target. Many customers affected by the Tesco Bank attack said to the press that they would change bank. There may be an opportunity for others to capture the market, as consumers become more aware of the risks.
A key component of a cyber security strategy should be ensuring the right individuals are in the right job. Not all businesses can afford, or should have, large scale teams. Much can be outsourced and there are many fantastic vendors who can offer effective services. What is important, is that there is the right individual who can communicate what risks exist and allow the business to respond effectively. They will need to co-ordinate the vendors and the communication, and ideally awareness around the wider business.