Financial, services, technology and energy companies paid the highest price, according to the 2016 Cost of Data Breach Study produced by ANZ.
But don’t think it’s just the big end of town that is under attack. Despite their modest size, SMEs are equally as vulnerable and can be easy targets. According to Symantec’s 2016 Internet Security Threat Report, in the last five years the rate of cyber attacks on businesses with less than 250 staff has risen steadily. In fact, in 2015, SMEs fell prey to 65 per cent of ‘spear phishing’ attacks in which shysters tried to pass off malicious information-gathering emails as legitimate to capture passwords and other secure information that can be used to gain access to otherwise secure systems.
Increasingly, the conduit for this malice is that swelling monster network, the Internet of things (IoT). By 2020, more than a quarter of identified enterprise attacks will involve the IoT. One example is the recent case of hackers breaching IoT security cameras to access networks and create a huge DDoS attack. The attackers hijacked CCTV cameras made by the surveillance firm Hangzhou Xiongmai Technology, using malware known as Mirai. The attack took down sites - including CNN, Spotify and Twitter - for long periods, showing how hackers can control a growing number of online gadgets connected to the Internet of things and disrupt the online world on a massive scale. Meanwhile, Gartner worryingly predicts that only 10 per cent of IT security budgets will be allocated to preventing attacks via IoT vulnerabilities.
Instead of just fretting about cyber threats, businesses should target their security budgets precisely. Businesses must ensure they allot enough resources, in step with the massive potential financial cost, rather than hope they stay lucky in the face of devious variants, such as ransomware.
The Asia Pacific region’s most common malware strain – ransomware - holds a device or system hostage by blocking access until a ransom is paid to nix the constraint.
The scourge with the most piratical overtones can come in the shape of attachments. Or it can be dropped onto vulnerable devices by ‘exploit kits’, when the user visits or is steered to a compromised site. Either way, businesses must keep tabs on security vulnerabilities and run updates in line with the yielded results.
Each audit should include an assessment of emerging threats, such as ransomware and ‘shadow IT’ (solutions built and used inside organisations without explicit organisational approval). One way to address this threat is to devise a ‘safe list’ of assessed, permissible apps.
Likewise, managers should be mindful of the potential, haphazard headaches posed by the ‘bring your own device’ (BYOD) trend. In both cases, an effective preventative measure is to create robust passwords. A password that uses symbols, numbers and letters is tougher to crack. Consider implementing 16-character passwords that are formidably difficult to work out. Changing compliance requirements that may cause upset should also be subjected to scrutiny.
If you just wing it, you may suffer consequences beyond financial loss. A hacker attack may dent brand image and additionally result in legal compliance issues.
Your audit should integrate into an ongoing security strategy, involving a partner who is capable of ensuring your cyber security stays current at all times. Doing the job alone is difficult. Almost certainly, you will need assistance, so do not be afraid to reach out.