This year’s eagerly anticipated Global State of Information Security report from PricewaterhouseCoopers has just been released and it highlights some awkward truths for UK firms. Over a quarter (28%) of British respondents claimed they don’t even know how many cyber-attacks hit their firm over the past year. This lack of cybersecurity maturity threatens to sink many UK enterprises at a time when cyber-threats have never had the potential to do so much harm.
What PwC has really highlighted with this report is that, beyond technology, the most resilient organisations work hard at creating a great cybersecurity culture. It’s not an easy thing to do, but with the EU GDPR landing in just seven months, it’s going to be an essential pre-requisite for business success in the future.
Unprepared and unsecured
The report’s 560 UK respondents – who hail from all sizes and types of organisation – revealed a worrying lack of cyber-preparedness. Nearly one in five (17%) claimed they don’t conduct any kind of cyber exercises or drills, while less than half (49%) carry out essential penetration testing. That’s not all: a third admitted they didn’t even know how the cyber-incidents faced over the preceding year occurred. This lack of cybersecurity visibility is deeply concerning; organisations can’t hope to have an effective security culture if executives have so little interest in finding out what’s going on.The @pwc_llp Global State of Information Security report reveals a worrying lack of cyber-preparedness, via @philmuncasterClick To Tweet
Fortunately, the report also lays bare the potentially catastrophic impact of such attacks. Although only 14% said they faced direct economic losses as a result of an attack, it’s pretty clear how damaging they were. UK firms suffered an average downtime of 19 hours from security incidents over the year. That might not seem like much, but it soon adds up: the Ponemon Institute reckons the average cost of datacentre downtime is $9000 per minute, or $540,000 per hour.
Aside from downtime, 20% of firms said they had employee records stolen, 21% had internal records damaged or stolen and 23% had customer records compromised. This last one is prime GDPR territory, meaning that serious breaches of customer PII could from May 2018 result in fines of up to £17m or 4% of global annual turnover, whichever is higher.
If these stats aren’t telling enough, just take a look at the brand damage, customer losses and financial hit in the tens of millions that TalkTalk suffered since its breach. Or consider credit agency Equifax, which is already losing government contracts as a result of a cyber attack which breached the PII of 145.5m Americans and nearly 700,000 Brits.
Towards better teamwork
So, what does it take to get things right? One key takeaway from PwC is the importance of collaboration, both internally and with third parties. In fact, cybersecurity partner Richard Horne says:
“Cyber security needs to be viewed as a ‘team sport’ rather than just an issue for the IT team. To be most effective, everyone in an organisation should be considering the security implications of their actions. Pulling a business together like that requires strong leadership from the top.”
At the very top, GDPR fines should be focusing board-level minds on security. But it doesn’t appear to be happening much at the moment: just 34% of UK boards actively participate in cybersecurity strategy, versus 44% globally.
Collaboration is also vital when it comes to incident response; in fact, teams need to comprise members from across the organisation for a fully joined-up effective response to a breach or serious cyber attack. Yet only 53% of respondents said they have in place a cross-organisational team featuring leaders from finance, legal, risk, human resources, and IT security which meets regularly to work on strategy.
As for reaching out across the corporate firewall to collaborate with government and peers, just 44% of UK firms do this formally, versus 58% globally. This needs to change, especially as Brexit threatens to harm cross-border information sharing partnerships.
In many ways, what we’re seeing here echoes some of the findings from a Barracuda Networks report from earlier in the year, which highlighted a serious lack of understanding about how the security works in the cloud.
A plan of action
Now, cultural change can be difficult to achieve, but not impossible. It should begin with comprehensive training and awareness programmes backed up by clear and effective policies. This is also easier said than done, but when you’re thinking about training, remember to keep lessons short – say 15-30 minutes – and relevant. Manageable chunks are easier to absorb and can fit around employees’ busy schedules more easily.
Ensure you test each employee on what they’ve learned and regularly update topics to keep it relevant. Don’t forget to include temporary staff and even contractors so there are no weak links in the chain. Of course, an organisational culture only really works if it’s driven from the top down, so it’s vital to get buy-in from the board. The GDPR is a great opportunity to do just this, so take time to explain the business impact of poor cybersecurity, and tweak lessons for senior execs to reinforce the message.
After that, think about your security controls. As always, best practice risk mitigation should include:
- Strict access controls featuring multi-factor authentication for sensitive data/systems
- Continuous network monitoring
- Regular patching
- Strong encryption for sensitive data at rest and in transit
- Protection at endpoint, network, cloud and email/web gateway layers
- Regular back-ups, as per the 3-2-1 rule: three copies on two different media with one offline
- Cyber-insurance, if appropriate
Phil Muncaster is a technology writer and editor with over 12 years’ experience working on some of the biggest technology titles around, including Computing, The Register, V3 and MIT Technology Review. He spent over two years in Hong Kong immersed in the Asian tech scene and is now back in London where information security has become a major focus for his work. Follow Phil on Twitter here and connect with him on LinkedIn here.
Phil Muncaster ist technischer Redakteur und Herausgeber mit über 12 Jahren Erfahrung bei einigen der größten Technologiepublikationen auf dem Markt, darunter Computing, The Register, V3 und MIT Technology Review. Er verbrachte mehr als zwei Jahre in Hongkong und konnte dadurch tief in die asiatische Technologieszene eintauchen. Jetzt ist er nach London zurückgekehrt, wo die Informationssicherheit zu einem wichtigen Schwerpunkt seiner Arbeit geworden ist.