'Safe haven' or cyber target?

David Carney from PwC discusses the key findings of the latest security breaches survey conducted by PwC and the consequences for Channel Islands businesses if not taken seriously

‘93% of large organisations and 87% of small businesses had a security breach last year’..... do you still think this is something that won’t affect you?

Security Breaches at the highest levels recorded

The results of the latest security breaches survey, commissioned by The Department for Business, Innovation and Skills (BIS) and conducted by PwC, have recently been published online at bit.ly/17ftGvK

The results are alarming, with security breaches at their highest level since the surveys began in the early 1990’s, and the average number of breaches suffered having increased by 50% in the last 12 months.

Attacks on the rise

78% of large organisations were attacked by an unauthorised outsider in the last year”

Attacks are no longer limited to traditional computer hackers, showcasing their skills.  Today, adversaries come from unexpected sources including Nation states, organised crime, hacktivists, terrorists and even employees. Motives include economic espionage, profiting from the sale of sensitive information.

The political motive, in my opinion represents the greatest threat to Channel Islands businesses, particularly surrounding the tax debate and the perceived “Tax Haven” status for which we are labelled by the outside world who seem to have little knowledge or experience of our stringent regulations. You don’t have to spend long on an internet search engine to discover local examples of politically motivated data breaches or financial losses.

We’re only human!

36% of the worst breaches resulted from inadvertent human error.

Sometimes, un-sophisticated attacks through “Social Engineering” - the art of manipulating people, can be most effective, such as mimicking a trusted individual or a seemingly innocent e-mail attachment or website link.  Either can result in an inadvertent but significant disclosure of highly sensitive or potentially damaging information, large fines, and considerable damage to reputation and trust.

Too often, attacks could be prevented through improved security awareness.  In large organisations, only 42% provided ongoing security training, yet in the majority of cases breaches resulted from poor understanding of security policies.

Sadly, the human effect is not limited to error. 10% of breaches were a result of deliberate misuse of systems. With large volumes of highly sensitive information accessible at the click of a mouse, and advancing technology providing the means to copy data to portable devices, webmail and social networking sites, often undetected, more and more data breaches are apparent.  Most certainly this contributed to recent disclosures of customer balances from “offshore” bank accounts to authorities and media organisations across the globe.

The “Tone at the top”

“Where senior management are briefed frequently on the potential security risks, security defences tend to be stronger.” Whilst 4 in 5 organisations believe senior management place a high or very high priority on information security, and spending on IT security continues to rise, many businesses can’t translate this into effective security defences. 

So what are the key failings in our armoury?

  • Failure to regularly brief the board on current security risks
  • Insufficient priority placed on Information Security e.g. staff awareness
  • Responsibilities for data protection are often unclear - who “owns” the data – the business or IT?
  • Weaknesses in risk assessment – e.g. failing to recognise the threat around technology advances such as cloud computing
  • Insufficient security skills within the organisation

Moving with the times

Four fifths of respondents are using at least one cloud computing service, and 83% of large organisations hold confidential or highly confidential data in the cloud. Most notably for the Channel Islands, Financial Services are amongst the most likely to have confidential data on the internet. Social networking and Mobile Computing remain high on the agenda for leveraging marketing opportunities and additional flexibility.  These can pose a threat if not appropriately controlled but should not necessarily be locked down providing risks are appropriately managed.

Tackling the threat

A successful information security management programme must be flexible. Modern systems are generally de-centralised, and it would not be cost effective or efficient to treat all sources of data in the same manner.

When talking with our clients, many do not have a clear view of what information they hold.  Without a full understanding of your data, where it is stored and who is responsible for the whole lifecycle, you cannot be confident that your precious information assets are protected and that you comply with relevant statutory and industry requirements.

It is no longer a question of if you will be attacked but rather when, so be prepared. Incident response and contingency plans are of utmost importance to ensure you can respond to key threats. Your best defence is a security conscious culture – empowering information security managers to address cyber threats at board level, and ensuring staff understand their role in defending the organisation. 

Many are now considering international standards such as ISO27001 to demonstrate their commitment to compliance and promote trust amongst key stakeholders.