How many security incidents do you think the average business has a year? How many do you think the average business had 10 years ago? If you guessed that there was increase from a decade ago, you would be right. 2019 research found that 61% of European and US businesses reported a cyber security attack in the last year, compared to 45% from the previous year (1). We have also seen that ransomware attacks are growing more than 350% annually(2), indicating criminals are increasingly looking to cyber-attacks as a way to extort money. These types of attack are not only becoming more frequent, but also more severe in terms of the impact they have on a business.
The risk of over-reliance
The cybersecurity systems in place today have been effective at reducing how many devices are infected by a cyber-attack compared to the early noughties. However, the aim of cyber-attacks has moved on from infecting as many devices as possible. Today attacks look for a weak link through which they can hold corporate systems to ransom or steal data.
This has become increasingly attractive as digitisation has moved more sensitive information and critical processing onto business IT systems. Now if those systems are taken down businesses can find they are not able to function.
For example, Equifax Credit Search was de-rated by investors because of a cybersecurity incident which impacted nearly 150 million consumers(3), forcing them to double their investment on security. These types of potentially ‘company-killing’ events were very rare in the past, because there was always an offline back-up available to businesses. Our present reliance on digital & cloud-based solutions come with increased vulnerability as the downside of increased convenience and productivity.
Concurrently, these vulnerabilities becoming more complex as organisations evolve towards interdependent business models. For example, most organisations rely on technology and infrastructure managed and run by other businesses. An attack on one company therefore has a ripple effect, impacting other inter-dependent organisations. If the provider goes down, so do they.
When delivery company TNT was one of the many victims of the ‘NotPetya’ attack in 2017(4), it took down its entire supply chain. The affect multi-national corporations like advertising giant WPP, but it also left an antiques dealer out of pocket as a consignment of art disappeared while being shipped from Switzerland(5). While having an offline contingency plan, ensures your business can continue, there’s no guarantee that your partners or their partners do, which means the entire supply chain could still be impacted.
The good news is that by accepting how the cyber-threat landscape has changed businesses can start to move towards a future with more transparency around cyber-defense and recovery across today’s digital supply chains.
A risk management approach
While businesses are never able to completely eradicate the risk of security threats, there are steps that can be taken to help prevent company-killing events from taking hold. As the world becomes increasingly connected and more dependent on technology, these tales of security woes remind us of the importance of taking a collaborative, collective and uncompromising approach to ensuring security.
- Collaborative: Organisations need to begin collaborating against cybercrime. Criminals innovate quickly and keeping pertinent information secret only increases their advantage. By pooling learnings from attacks, we can close the gap and make faster progress in discovering new defences. When Norwegian hydro-energy company Norsk Hydro was breached they invited the BBC(6) to document how they outsmarted their attackers, sharing important knowledge globally.
- Collective: As organisations start working together more closely, a culture of data protection must be consistently communicated and upheld across partnering organisations along the supply chain. A collective accountability across suppliers and clients is necessary to try and eliminate weak points across the whole IT ecosystem. For example, many firms will have a single admin password for all of their Microsoft accounts(7). This can let malware spread like wildfire, and even across company boundaries. If the client holds the supplier accountable, and vice versa, these kinds of back doors can be locked.
- Complete: You need to establish as complete a view of the risk as you can possibly have and identify which parts of your IT system are critical to your business operation, to help you take control of your information. This means thinking about aspects beyond just digital channels. For example, shared use printers can be a weak point if poor data security practice is observed and outbound comms processes need to be taken into consideration when thinking about security across the whole document lifecycle. By considering all aspects of your information management, from document capture through to print management, you can develop robust strategies necessary to protect your core business interests.
As businesses become more intertwined, the sharing of knowledge and accountability grow in importance in parallel. Working with partners who understand the issues and can help build a bigger picture overview is an important step to take. Only by working together and taking control of your information can we keep one step ahead of cyber-attacks.
Quentyn Taylor, Director of Security at Canon EMEA