According to 2019 Internet Crime Report, cyber crime has almost doubled since 2015 and financial losses have tripled from $1.1 billion in 2015 to $3.5 billion in 2019. The most commonly reported cyber crimes in 2019 were phishing, personal data breach, non/payment and extortion each of which involved millions of dollars. We will later see how phishing and ransomware (cyberattack used for extortion) are closely linked.
In this article, I will try to make a point that no matter how strong and costly hardware and software solutions businesses acquire, without management’s key role in information security, there will always remain gaping holes in information security posture of businesses. So, I will discuss in detail about how to prevent cyber crime with proper management buy-in and sharing of responsibility of information security.
It is also a miscalculation by most small businesses that only bigger names are targeted and that they are not the targets of the cyber threats. In fact 85 percent of small business owners consider that their business is safe from cyber crime. However, the situation on ground is quite different. A study by Symantec found that almost 40 percent of cyber crime was against companies and businesses that had less than 500 employees.
In fact a study by NetDiligence in 2019 found that SMBs were the main complainants (in fact 96 %), especially those operating in financial services, healthcare, education and professional services.
And as a small business what should get you serious about taking information security serious to prevent cyber crime against your company is the report that in case of a cyber attack, 60 percent of the small businesses shut down within 6 months because they do not have the resources to bounce back.
Issues with the current cyber crime prevention strategy
Treating Information security as an exclusively technical function
The biggest problem with the current approach for prevention of cyber crimes at companies is that the identification and management of information technology risks, that also include privacy and information security risks, is viewed as a non-management issue, left for technical people to manage.
Managers generally tend to stay away from hard core information security programs but time has shown again and again that this is not the right approach.
It is understandable that complex network architecture and information security and configuration tools are not something managers would like to play with. But senior management may play its part in instituting an organization wide information security program with strong management ownership.
They may delegate the technical roles to chief information security officers and other similar designations, but they must provide the impetus and full support to information security as a management function.
By defining key roles and responsibilities and with the will to enforce these, the management can ensure that some easily manageable security holes can be plugged.
For example, one of the most common and potentially very serious cyber threats is not installing software patches. The end result is compromise of systems and expensive systems breaches that involves data of potentially millions of people.
You may recall the Equifax hack of 2017 which exploited a known vulnerability that the company was aware of and simple software updates could have closed that hole and prevent the cyber crime that exposed 147 million credit reports.
Majority of the cyber crimes can be prevented by timely patch management of software. It might be surprising for you to know that about a third of workstations in the healthcare sector use unsupported windows operating systems for which Microsoft has stopped issuing any security patches. And NHS learned this the hardware when its workstations were targets of ransomware attacks that targeted unsupported Windows systems.
Cyber crime can be prevented with costly technology
The second problem with the current cyber crime prevention at the companies and businesses is that the senior management considers that they can take care of the information security challenges by purchasing costly firewalls and other solutions.
However, what they completely ignore is the human element in information security, which is also considered as the weakest link in an information security posture.
One very common example of this are phishing attacks, which are targeted at humans even in the presence of very sophisticated firewalls and spam filters. The hackers can cleverly design phishing emails that play with the emotions of people to steal credentials by bypassing the technical cyber security measures.
According to a Verizon Data Breach Investigation Report 2019, a third of all successful cyber crimes involved phishing. It has also been estimated that about 93 percent of phishing emails have attachments that are loaded with ransomware.
It is the management that need to take steps to address the human element information security seriously. Otherwise, the cyber crime prevention strategies will keep failing.
Ignoring human element in information security
The third misconception the management is that the information security issues can be solely addressed by the technical staff in the IT departments. However, the fact of the matter is that most IT people are not trained for information security. And even those who are trained require support and coordination with other business units because the information security risk fluidly moves across the enterprise and not just at the technical infrastructure.
The best way to start is for the senior management and BoDs to clearly delineate responsibilities for information security by involving all units in the enterprise with the understanding that information security is a responsibility that everyone at the company shares and has a role to play in cyber attack prevention.
Cyber crime is a growing problem for governments, businesses and the enterprises of every kind. The most commonly understood view of cyber crime is that the bad guys (hackers) are breaking into systems and stealing data.
The object reality is that the hackers are only a part of the problem. Far too many bad decisions are made by people who have the power to prevent cyberattacks. This happens because management is not taking security seriously enough.
This is the only way to prevent cyber crime against the company. The management will have to take the lead and ownership and not leave it unattended as a technical function. And it is also not a one time function. This is a constant battle that requires vigilance and involvement of the senior management on a continual basis and a security solution will not work in isolation.