Cyber attacks: risks and remedies for the modern firm
When many people think of cybersecurity, they think of two-step authentication, multiple passwords and firewalls - but it’s much broader than that. While these systemic defences are absolutely necessary for any business, data breaches are inevitable. So rather than spending energy and resources on prevention, businesses need to focus on managing cyber attacks quickly and efficiently to minimise the fallout. Data privacy is paramount for the financial and reputational health of any business - and in order to maintain this, businesses need to understand the risks and how to mitigate them.
At the 2019 LexisNexis Decoding Cybersecurity: Clause and effect Perth event, panellist Zahn Nel, Director at CT Group Solutions, said, ‘There are two types of businesses. Those who have been breached and those who are not aware they have been breached.’ Many of the best-resourced and secure organisations in the world including Facebook, Google and Maersk have suffered high profile breaches.
The damage from a breach can be severe and come in the form of regulatory penalties or fines, other financial damage resulting from the loss of data, and loss of reputation – which, in some cases, can be worse than the economic toll. For example, the Cambridge Analytica scandal has dragged Facebook’s name through the mud and it now faces a $5bn fine from regulators. Google suffered a huge drop in share price following a 2018 breach, and the damage bill from Maersk’s run in with 2017’s NotPetya malware is estimated at $300 million.
There are many types of cyber attacks, and hackers will try different things depending on their intent - they may just want to incapacitate an organisation’s systems (DDoS attack) or they may decide to hijack data in order to extort money (ransomware attack). Hackers can gain access through a number of different means, but the most common way is through an organisation’s biggest vulnerability: its people.
A 2019 report from Kaspersky Lab found that some element of human error is present in 90% of data breaches. This could mean errantly clicking on a link in a phishing email, lax personal cybersecurity like leaving passwords somewhere easily accessible or using the same simple password across multiple systems. Hackers are skilled at identifying and exploiting these sorts of errors as it makes their jobs much easier - why waste time picking a lock when you can just take the key? Therefore, it is critical that businesses educate staff on best practice in cybersecurity and how to respond when a breach occurs.
While the vast majority of attacks come from outside the organisation, they may also come from inside - the most common example of this being disgruntled employees stealing and leaking data. In 2018, the electric vehicle giant Tesla discovered an employee had written code to regularly export large quantities of sensitive intellectual property and financial data which was being shared with undisclosed third parties. After uncovering the breach, Tesla alleged that the employee was disgruntled after being reassigned to a new role within the business and passed over for a promotion.
With so much at stake, businesses need a plan to maintain their defences and minimise financial and reputational loss in the inevitable event of a data breach. There are some key steps that every organisation should be taking to minimise their vulnerability to cyber attack:
- Create and communicate a functional and actionable cyber resilience strategy. This should include processes relating to systems and people in order to protect against attack
- Develop, maintain and update breach response plans. Businesses must carefully consider and document how they will respond to an attack.
- Complete regular staff training for culture of cyber awareness. From phishing tests to involvement in drill scenarios, awareness of best practice must be engrained throughout the business.
- Ongoing privacy impact and security assessments. These are essential to ensuring plans remain relevant amidst an environment of rapidly-shifting threats.
It would be wrong to say that any business can ever be 100% secure, or fully immune to cyber attack. But by following the steps above, businesses can reduce the likelihood of attack and drastically reduce the financial and reputational damage resulting from a breach.
Contact your Relationship Manager for more in depth information on our Practical Guidance Cybersecurity, Data Protection and Privacy module. Alternatively email Sales.Enquiries@lexisnexis.com.au or call us on 1800 772 772