Cyber readiness depends on more than just technology

Out-Law Analysis | 10 Sep 2020 | 8:15 am | 3 min. read

Investment in technology alone is not enough to prepare businesses for addressing the cyber risks they face today.

People, processes and policies, as well as preventative systems, are all necessary components of a robust cybersecurity programme.

There is a growing imperative for businesses to become 'cyber ready', particularly with the shift towards greater levels of remote working and use of technology spurred by the Covid-19 pandemic. Recent research carried out suggests this fact is well recognised by businesses.

The CrowdStrike Asia Pacific and Japan state of cybersecurity report, published in July, highlighted the results of a survey of more than 2,000 people in board room or other managerial roles. According to the survey, conducted between 26 May and 7 June this year, 54% of businesses across the Asia Pacific region have changed their security programmes as a result of Covid-19.

We are seeing a trend in companies enquiring about reviewing the security of their IT systems and engaging in drafting an incident response plan for cyber breaches. Many are asking how cyber ready their company is.

One of prompts for this trend is the risk of data breaches – a risk heightened by the shift to remote working and persistent shortcomings in encryption of data or devices on which it is stored.

The risk of data breaches has been highlighted in a number of high profile examples, most recently when British research company Comparitech reported that it had found that data concerning as many of 235 million social media users was available online via a database that could be accessed without a password or other means of authentication.

The data had been scraped from a number of social media platforms by Social Data, a Hong Kong-registered company that sells data on social media influencers, Comparitech said. According to the report, Social Data denied the data had been "obtained surreptitiously" and said that the information gathered was publicly available on the social networking sites, though Comparitech said scraping data from the platforms was against the platforms' terms of use.

In most cases, cyber breaches stem from the use of social engineering or use of malicious software (malware) or so-called ransomware, where victims are locked out of access their own systems and data, and called on by those responsible to pay a fee to regain that access. The New Zealand Stock Exchange recently faced sustained cyber attacks over a number of days in a move that halted trading. The rise of ransomware attacks in particular highlights the need for businesses to have a comprehensive incident response plan that provides for contingencies in the event they are hit by a major cyber attack. The incident response plan is sometimes also referred to as the contingency plan or emergency response plan.

The CrowdStrike survey found that 74% of organisations have a cybersecurity emergency response plan, but 14% of respondents admitted theirs does not, with the remaining 12% in the dark over whether any such plan exists in their business.

In more positive news, the survey also found that 69% of businesses had changed their cybersecurity emergency response plans in light of the Covid-19 pandemic. It is just as important, however, that such plans are regularly tested to identify gaps that might arise in practice and to ensure everyone involved in the operation of those plans understands their and everyone else's role so they can work together effectively if a breach occurs.

Training employees is a crucial part of cyber breach prevention too. In particular, employees need to be aware of what to be on the look out for to be able to spot phishing emails and other forms of social engineering, and who to make a report to in the event of a cyber attack.

According to CrowdStrike, 61% of companies in Asia Pacific have provided additional training in security to their employees as a result of Covid-19, and 76% of companies plan to engage employees in such training in future.

Addressing the cyber risks emerging from the pandemic is an opportunity for businesses to reset the way they think about cyber readiness. Investment in technology to protect IT systems is important, but this should not be done without first reviewing whether existing processes, policies and systems are satisfactory. While technology can enhance processes, the foundations need to be right. Cybersecurity programmes need to be reviewed from head to toe.

Cyber readiness can only occur when businesses have the three 'Ps' in place:

  • People – teach your workforce to spot potential threats and have a team ready to act if there is a cyber attack;
  • Policy and procedures – review policy and procedures to make sure they factor in the risks posed by remote working and arising out of the Covid-19 pandemic; and
  • Prevention – have good systems in place and make sure the vulnerabilities within your systems are attended to. Without resolving these vulnerabilities even the most technologically advanced systems will not protect your company and its assets.

In cases where businesses are dependent on third-party suppliers, such as technology providers, they should review their contracts with those providers to ensure risk is appropriately apportioned and further check that suppliers have the right policies and procedures in place to effectively manage cyber incidents that have the potential to impact the services provided.