Picture the situation. You are talking to a client and a board member steps forward to voice their concern about investing in information security “We make widgets, we are not a bank, we do not need to invest in Information Security. Why would anyone attack us?”
A recent report produced by Kaspersky Lab which focused mainly on small and medium sized enterprises (SMEs) revealed that 75% of SMEs believed their business was too small to be of any interest to cyber criminals. 59% believed the information they held would not be of interest to cyber criminals.
What was interesting was the reaction to the report on security community forums. Some individuals were in agreement with the findings but also highlighted that companies that are too big to be classified as an SME, are also content to believe they are immune from the cyber threat.
What is apparent is that the cyber threat goes beyond the theft of personal data and intellectual capital. There is the impact resulting from on-line business channels being disrupted. There is also the far from inconsequential matter of legal and regulatory obligations being compromised. Another more subtle point that has been missed is that infrastructure could be used as the platform for a cyber attack. We have seen how criminals use systems as part of a wider cyber theft ring . Systems and supply chains are becoming increasingly interconnected resulting in smaller companies being connected to larger ones. We have all heard the expression that security is only as strong as its weakest link; cyber criminals can now potentially attack larger targets through smaller ones.
Regardless of size, all organisations have legal and regulatory obligations to their customers. Therefore, at a minimum they need to ensure that the basic human element of information security is addressed. For example, all employees should be aware of the cyber threat. They should be aware of such concepts as phishing, spear phishing and watering-hole attacks that are often used to trick staff into giving away confidential information, such as passwords and account details. These help provide a cyber criminal access to an organisation’s infrastructure. It is therefore important that employees understand their employer’s information security policies and are educated and able to recognise a cyber attack and who to report it to. So often, incident management processes are overlooked from awareness campaigns.
In reality there in no immunity from the cyber threat and recognition of this is a first and vital step on the road to developing a successful security management system.
There is a need for greater awareness and training in relation to cyber threats. Training must be relevant and applicable to a company and the sector it operates in. It is the duty of the security community to get this message across. In our next newsletter we will provide more detail of the innovative approach to presenting the message that is being developed by the analogies project.
Read the full April – Bridewell of knowledge