How To Protect Your Business From A Cyber Attack

Transcription

1 Intelligence FIRST helping your business make better decisions Cyber security Keeping your business resilient Cyber security is about keeping your business resilient in the modern technological age. It is about meeting the threat posed by a range of attacks perpetrated using the same online networks that are critical to the way we interact and do business. It is about how you deal with this particular risk to your organisation, and centres on corporate culture and behaviour not just technology. Cyber attacks are now endemic, but this doesn t mean your organisation is powerless. By being cyber secure you can take steps to protect what is valuable to your organisation, in terms of assets and reputation. This CBI Intelligence FIRST guide sets out why cyber security should be prominent in board discussions right now. Inside Page 3 Why cyber security matters to your business Page 4 What exactly is under threat? Page 5 How to become cyber secure Page 9 Actions for the board Don t give this to your CIO until you ve read it first March 2013

2

3 CBI Intelligence FIRST cyber security 3 Why cyber security matters to your business Changes to the way we do business have increased the risk Most companies now operate cross-border and have a strong presence in international markets. They have widely dispersed supply chains, operating multiple customer channels. And there has been a major shift in the way that we routinely share and store data, with a big emphasis on mobile working. The risk profile is changing Cyber attacks are now endemic, with over 90% of large companies likely to have suffered a breach in the year Some reports estimate that global companies are suffering 15,000 attacks a day, reaching ten times that for organisations such as a large global bank. (Sources: PwC Info Sec survey 2012/Financial Times, 24 January 2013) but complacency is threatening many businesses A BAE Systems Detica survey found that 61% of companies stated that it would take a cyber-attack on them or a competitor for their boards to properly address the risk: that s clearly too late. (Source: BAE Systems Detica 2012 Cyber Security Monitor) A cyber attack can have a major impact on investors, supply chains and customers. It can result in: Monetary theft by accessing financial systems Hackers accessing your systems to steal trade secrets or valuable intellectual property (IP) Business interruption by shutting down critical systems Loss of customer, employee or other commercially sensitive data Damage to brand through loss of customer trust or a malicious attack. Helpful analysis from the World Economic Forum shows that cyber attacks became the fourth most likely global risk in 2012 Cyber attacks as one of five headline global risks 4.03 Severe income disparity 4.03 Chronic fiscal imbalances 3.88 Rising greenhouse gas emissions 3.80 Cyber attacks 3.79 Water supply crises Very unlikely Almost certain Source: World Economic Forum

4 4 CBI Intelligence FIRST cyber security What is exactly under threat? If cyber attacks are a likely risk, what about their impact? The cost to businesses in the UK of cyber attacks has been calculated at around 21bn annually. (Source: The cost of cyber crime, Detica and the Cabinet Office) These breaches take a range of forms and the risk to your organisation may include threats to the following: The brand Valuables Systems Who are the hackers? It could be a range of actors including rival organisations, criminal gangs who have targeted public services in the past, or professional/state-sponsored hackers based in areas such as the former Soviet Union. Malicious codes or malware can be used to disrupt consumer-facing services. Example: a code injection hack on the operating system of a leading entertainment firm in the spring of The resulting cost was estimated to be in the region of $138m. Online malware can be used to steal trade secrets, valuable data or sensitive information with commercial implications. Example: The use of a virus called the Backdoor Trojan in 2011 to target the R&D and manufacturing data of 50 chemical and defence firms. Cyber attacks can also shut down the provision of crucial services through critical national infrastructure (CNI). Example: The oil firm Saudi Aramco was attacked in August 2012 by hackers, forcing the shut down of 30,000 workstations.

5 CBI Intelligence FIRST cyber security 5 It s time to become cyber secure: here s how to do it Treat it as a regular business risk: embed it as part of your on-going risk management activity. Get your governance structure right: You need to ensure that you have a designated member of staff or a risk team in place that is responsible and accountable for the risk of cyber attack alongside all other concerns on your risk register. Ensure your designated lead member of staff or risk team continually undertakes three critical tasks and keeps reporting back to the board: this is about making sure you can respond to the threat of cyber attack in a dynamic way. Three steps for your team: 1 Identify what is valuable to your organisation and assess the risk. The boards of all companies should consider the vulnerability of their own company to these risks as part of their normal corporate governance and they should require their key advisers and suppliers to do the same Jonathan Evans, head of MI5 Mansion House speech, June Ensure your internal processes around staff behaviour are adequate. Make sure your technology and software is properly robust and up to date. Let s look at these in more detail

6 6 CBI Intelligence FIRST cyber security 1 Identify what s valuable to your organisation and assess the risk The central question to ask here is cyber attacks are a risk to what? or what is properly valuable to the critical operations of this company? We are not just talking about information per se, but about all forms of data that are fundamental to the company s business model including datasets used for HR purposes, client services, product development and business planning. Your team will then be in a position to do the following: Identify what s valuable to the organisation and gauge whether there are any existing threats to be aware of (presenting this as part of a risk assessment exercise at the board meeting). Answer the question what is the figure that we could not stand to lose? This will help give you an awareness of value by quantifying what you could lose through inaction. It will also equip you to consider and justify the opportunity cost of allotting time and resources to mitigate the threat. Identify who currently has access to what kinds of data, trade secrets or valuable systems within the organisation and why this is the case: don t discount the possibility for internal doors to be left open either accidentally or even intentionally by staff or consultants. Last year for example, an Austrian-based employee of the Massachusetts wind-energy company American Superconductor stole intellectual property from the firm and sold it to the Chinese wind turbine manufacturer Sinovel for $1.5m (New York Times, 14 February 2012). 2

7 CBI Intelligence FIRST cyber security 7 2 Ensure your internal processes around staff behaviour are adequate Get the basics right Around 80% of the risk of cyber attack to your organisation can be mitigated through getting the basics right. 1 This means keeping security in mind when designing policies and processes for: Flexible working arrangements Bring your own device /the sharing of information via personal as well as professional devices User privileges: make sure access requirements and passwords for sensitive data are robust and secure. Influencing human behaviour and initiating a culture change from the top is vital With four out of ten people now using smartphones, 2 strict safety policies together with examples of good practice on the use of work information need to be evident from board members down. There s always scope to be innovative On passwords, for example, recent survey research from Microsoft confirms the obvious point that alphabetical passwords are either so easy to remember that they are frequently guessable or so difficult that they are rarely remembered. Many companies are therefore beginning to experiment with new forms of password security using pictorial and graphical prompts. Keeping staff educated is a key means of ensuring your firm is cyber secure Human error can lead to unforseen consequences cyber attackers are able to enter networks through planted USBs and other simple means. Employee awareness of the issues around cyber security is of vital importance and so a sense check of what employees know already is a useful step to continually repeat. 1 GCHQ estimate 2 OFCOM estimate

8 8 CBI Intelligence FIRST cyber security 3 Make sure your technology and software is properly up to date With online networks so central to our everyday activities, dealing with the threat of cyber attack means accepting this as an endemic risk and finding a way to manage it. But don t waste time trying to become the next Fort Knox. Cyber security requires up-to-date software with the right safety mechanisms to guard your company valuables or the critical networks your business operates. Additionally, it requires software that can help monitor and detect potential threats, with backup systems to ensure continued delivery for consumers and investors in the event of a cyber breach. If your risk team finds your existing systems are inadequate, investment in improvements may be necessary to protect your company valuables. Investment should be weighed against the valuation of the things you can t afford to lose. Advice on how to ensure your organisation s software systems are secure and crucially on how to adapt in the event of a cyber attack, is available from external consultancies together with computer emergency response teams (CERTs), which provide real-time data and information about how to respond to constantly evolving cyber threats. Becoming cyber secure means constantly adapting to developments in technology. With changes to the way we store commercially sensitive information, such as in the cloud, make sure your team knows the location of the server which holds your data (in terms of jurisdiction), and whether your data is secure. 3

9 CBI Intelligence FIRST cyber security 9 The crucial slide: actions for the board to cover in a meeting With these issues accounted for, make sure you address all angles by covering the following points in your board meeting: Consider 1 a risk assessment Do a fly-past exercise to determine the company s current state of health and your existing policies. Identify what data, information, or systems are valuable to your company operations. Make sure you get an accurate 23 assessment of what the risk to these valuables might be and gauge whether your risk team is aware of existing threats. Turn your attention to risk management Consider the crucial cost/benefit decisions to invest in improvements to internal networks. Decide whether any outside help or investment is required to strengthen your software mechanisms, your ability to detect threats, or for programmes such as staff training. Focus on resilience to protect your reputation Make sure you are prepared for the possibility of a cyber attack by having a contingency plan which ensures you can continue to deliver products and services. This will mean your ability to deliver for the people who matter is not damaged.

10 10 CBI Intelligence FIRST cyber security Learn more about cyber security The CBI s range of activity includes: Liaising with the UK government to convey industry s broad view of cyber security including messaging for the board and mechanisms for reporting attacks Monitoring regulatory developments in the EU, including the EU s cyber security strategy, which could impose new reporting requirements on businesses Raising the profile of cyber security in business through articles, speeches and roundtable events. Other important sources of information: Ten steps to cyber security guidance released by the UK government in September 2012: docs/0-9/ steps-to-cyber-security-executive.pdf Pathways to global cyber resilience document from the World Economic Forum: PathwaysToGlobalCyberResilience_Report_2012.pdf For more information please contact James Nation [email protected] tel:

11 CBI Intelligence FIRST cyber security 11 >>>>>>>>>>>> Secure your networks and critical information, secure your reputation and your future success <<<<<<<<<<<<

12 Intelligence FIRST Intelligence FIRST brings together: The CBI s inside knowledge of up-coming changes in legislation and regulation Informed CBI commentary and analysis on significant public policy and other major developments Critical and timely economic and business trend assessments. If you have concerns about: How your business should prepare for major changes in legislation and regulation Where the economy is headed and how it will impact on your sector What the long-term legacies of the credit crunch and recession will be across the business landscape What you need to know for your business to manage the transition to a low-carbon economy Intelligence FIRST is here to help. Your account manager will keep you in touch as new Intelligence FIRST guides become available. Product code CAG_ENT_365