SPONSORED: Want to know the real reasons why firms suffer disastrous cyber breaches?

Want to know the real reasons why firms suffer disastrous cyber breaches?

No, this is not an article about technology. It’s a high-level summary of the underlying circumstances which, in our experience, allow cyber attacks to succeed, writes Mitigo CEO Lindsay Hill. 

Getting the wrong people to advise and audit

In almost all of the cases we investigate following a cyber breach, the victim firms were relying upon their IT or technology Managed Service Provider (MSP) to look after their cyber security without understanding that cyber risk management is a separate and dedicated, specialist discipline.

It requires (amongst other things) real expertise in undertaking cyber risk assessments (which goes well beyond technology risks); an understanding of the risks attached to people and lack of governance; an acute awareness of the current methods of attack taking place in your sector and the means to defend against them; real expertise in operational resilience; as well as knowledge of your legal and regulatory responsibilities.

Crucially, your cyber security advisers should be independent of your IT or MSP, because having people mark their own homework is simply a nonstarter from an assurance or compliance perspective.

Your advisors should be impartial and they should not also be selling you any security technology, which gives them a conflicting financial interest in their recommendations.

There are other reasons to separate your cyber risk management advisor from your supply chain. Your dependency upon them for too many things may well already be one of your cyber or operational resilience risks. How can you possibly get proper risk advice and oversight of your supply chain from someone who sits in a critical position within it? Bear in mind that MSPs are being targeted by attackers. If you or they get breached, you definitely don’t want them to be the very people you are relying upon for advice and help to recover from it.

And it goes without saying that failing to undertake regular cyber risk audits at all is not only a breach of legal and regulatory requirements, it also means the firm has no assurance and is leaving itself wide open to cyber attacks.

Thinking that security is all about tech

It is not. Security and configuration of technology is of course fundamental. But so much more is needed. Security involves a combination of defences with many layers. The majority of cyber breaches start with human error. Someone pressing on something they shouldn’t. Someone bypassing tech protections by giving away security credentials.

The combination of AI, social engineering, and the use of native English speaking affiliates, are resulting in more successful attacks from phishing and voice phishing (vishing). Staff need to be trained to spot attacks, and simulated attacks will test that the training is working. The culture of the organisation needs to be one where staff are not afraid to speak up if they think they may have made an error which jeopardises security.  

Good governance is also essential. You must have in place the right policies and procedures that fit your business and the way you work. Governance arrangements must include a process for regularly testing, assessing and evaluating the effectiveness of your cyber control measures, and reporting the outcomes to all relevant stakeholders.

Not taking it seriously enough: incorrect or inadequate allocation of resources

Cyber should now be at the top of every organisation’s risk register, with at least the same prominence as any financial or legal risk. Of course, staying secure has financial implications - it is now a cost of doing business and staying in business. We have seen first hand the consequences of failing properly to address risk because it seemed expensive to do so.

But it’s not all about money. Breaches occur where the firm has not treated security as a senior leadership matter. As the Government’s Cyber Governance Code of Practice emphasises, cyber risk management is a board level matter. And anyone in doubt over the ICO’s approach to the necessity for senior management oversight should read the Interserve case (£4.4m fine).

Both executive and non-executive board members and partners are responsible for the security and operational resilience of their organisations. They must own this risk. It should be discussed at board meetings using proper management information. They should make themselves aware of the cyber risks their business face, obtain (on an ongoing basis) independent assurance that their cyber controls are in place and working effectively. Because information which is business critical must be reliable.

The fatal combination of complacency and misconception

We see many incorrect assumptions and misconceptions:

• Like thinking that your organisation is too small to be attacked and not understanding that criminals usually target vulnerabilities rather than specific firms. Once in, they will investigate the scope for stealing data, encrypting systems, diverting payments, moving up and down supply chains, etc.
• Or not being aware of the criminal ecosystem and underestimating the strength of your foe. These are serious, well organised (albeit illegal), criminal enterprises, looking to make serious money. Stealers obtain confidential credentials and act as lead generators for access brokers who assess potential and sell leads on. Affiliates buy Ransomware as a Service (RaaS) tools which have been developed by sophisticated ransomware gangs based in overseas jurisdictions. The gangs are experienced and skilful in developing products, hosting leak sites, assessing the ransom value of stolen data and business downtime, and managing ransom negotiations.
• Or being persuaded by technology vendors that cloud services keep you safe, whereas, in reality, they merely change the nature of risk, which in many cases actually increases.
• Or ignoring supply chain risks by failing to consider how their breach might affect you, the extent of data sharing or integrations, critical supplier dependencies and fallback plans if they go down, the need for supplier due diligence, etc.
•  Or failing to investigate minor breaches or “near misses” in order to understand the root cause. Because often they are a forerunner to far more serious breaches.
• Or believing that having certifications such as Cyber Essentials (CE) or Cyber Essentials Plus (which is merely an audited version of CE) prove that you are secure. They do not. They can be a good starter and a useful badge for satisfying supply chain requirements. But CE only covers a number of technical controls which are necessary but nowhere near sufficient to provide proper protection (or legal compliance).
• Or thinking that cyber insurance offers adequate protection in the event of a serious breach. It does not. Insurance is not a substitute for cyber management. It constitutes the transfer of residual risk once you have taken steps to manage your cyber security in the first place. It may cover some financial costs, but it will never repair all the damage to your business, its reputation, its client relationships, the sleepless nights, or all of its financial losses.

The upshot

Business men and women work long and hard to create value for themselves, their partners and shareholders. It can be soul destroying to see that value demolished by one cyber incident.

If any part of this article has struck a chord with you, consider reaching out to someone who truly understands how to support your journey. It might just be one of the smartest business moves you make.

Mitigo is the Law Society of Scotland’s strategic partner for cyber risk management.

If you’d like to discuss how to protect your firm, strengthen your governance, and reduce the risk of a serious breach, contact Mitigo today:

Email: lawscot@mitigogroup.com
Phone: 0131 564 1884
Online: https://mitigogroup.com/contact-us/