Cyber-attacks are an ever-increasing threat to businesses and organizations worldwide. But despite increased awareness and investment in cyber security, many businesses and organizations fail to prevent these attacks. This blog will take a closer look at some of the reasons why they fail, along with some top tips on how to embed a solid cyber security structure.
Underestimating a threat
One of the key problems when it comes to cyber security is not truly knowing how serious or damaging the threat can be. While many organizations recognise the need to protect themselves from cyber-attacks, they may underestimate the risk or believe they will not be a target for attack. This can lead to organizations misjudging the cost of a successful attack and overlooking the need to invest in security.
An example of an organization that underestimated the threat is the Danish transport company Mærsk. In June 2017, Mærsk was exposed to an extensive cyber-attack which largely paralysed the company’s IT systems and caused the company to lose millions in revenue. Post-attack, the company’s CEO stated that Mærsk had never imagined that they would be the target of such an attack, and that the company had underestimated the risk . (Ref: Cyber attack update – A.P. Møller – Maersk A/S maersk.com). Maersk says the NotPetya cyberattack could cost them around $300 million. (Ref: ft.com)
Alternatively, some companies may consider the risk from a cyber-attack to be minimal because they are not a large company themselves. But, according to a 2022 report from Verizon, the number one action type in their dataset for very small businesses are ransomware attacks. The second most common is the use of stolen credentials. and last but not least, social attacks such as Phishing and Pretexting are the third most common to attack organisations of 1-10 employees. In other words, the small size of the company or organization is no protection against cyber-attacks. (Ref: Data Breach Investigations Report 2022, Verizon).
Inadequate investment in security
Another reason why companies fail to prevent cyber-attacks is insufficient investment in cyber security. Cyber security is an ever-evolving field and companies must invest in the latest technology and expertise to stay ahead of hackers. Although many companies recognise the need to protect themselves from cyber-attacks, they may hesitate to invest in security due to the cost and uncertainty surrounding ROI (return on investment). This can lead to organizations conceding that they are accepting greater risk.
An example of this occurred in 2013, when Target suffered a data breach that exposed the credit card information of over 40 million customers. The break-in occurred because Target had failed to invest in an intrusion detection system that could have alerted the company to suspicious activity. Target also failed to adequately secure its points of sale, which was exploited by the hackers. The incident is estimated to have cost Target more than $200 million, underscoring the importance of investing in cybersecurity. (Ref: Warnings & Lessons of the 2013 Target Data Breach, redriver.com)
The ever-changing threat picture
The inability to adapt to the constantly changing threat landscape is also a factor. Cybercriminals are constantly developing new techniques and tactics to circumvent security systems, and organizations that cannot adapt to these changes will be vulnerable to attack.
Simply being security-conscious is no longer enough, nor is having a prevention-only strategy. Organizations must arm themselves to survive attacks, maintain operations, and embrace new technologies in the face of evolving threats. This means establishing policies and processes that strike a balance between protecting critical assets, detecting compromises, and responding to incidents.
Cooperation and sharing of information can help reduce the risk of cyber attacks. But many organizations hesitate to share information about security risks, which can limit opportunities for collaboration and interaction between organizations and prevent a holistic approach to cyber security.
Inadequate training of employees
Every employee from the business staff to IT personnel to executives should adopt a cyber-resilient mindset, which begins with recognising that they are the first line of defense against threats. But they often lack the necessary knowledge and skills to identify and report suspicious activity. Several studies, including those conducted by Stanford Research, show that as many as 9 out of 10 data breaches are the result of human error, such as employees falling for phishing scams or weak passwords. Nevertheless, there are many businesses that do not provide their employees with regular security training.
Failure of basic security measures
Another common reason why businesses fail to prevent cyber-attacks is the failure to implement basic security measures. Basic measures, such as using strong passwords, regularly updating software and using two-factor authentication, can go a long way in preventing cyber-attacks. However, many businesses neglect these measures, making it easier for hackers to exploit vulnerabilities.
In 2017, Equifax suffered a data breach that exposed the personal information of over 145 million people. The breach occurred because Equifax failed to patch a known vulnerability in its systems, even though a patch had been available for months. The breach could have been prevented if Equifax had implemented basic security measures and regularly updated its software. (Ref: 2017 Equifax data breach – Wikipedia)
How can companies and organizations improve their cyber security?
To improve its cyber security, every organization must take a holistic approach to cyber security, which takes into account technological, human and organizational factors. F24 provides the following recommendations to make your company more cyber-resilient:
- Invest in technologies that can help protect your organization’s systems and data. This may include firewalls, anti-virus software, intrusion detection software and backup solutions. It is also important to ensure that the security solutions are updated and regularly tested to ensure that they are working as they should.
- Ensuring a good cyber-resilient culture, that employees have sufficient training and awareness of cyber security. This can include training in recognizing and avoiding security risks, and developing a culture that emphasizes security. Organizations can also implement digital security culture through policies and procedures to ensure that employees follow cyber security best practices.
- Have a crisis management plan in the event of a cyber breach. This can include having a clear communication plan, ensuring that critical data is backed up and recoverable, and having a clear plan to deal with any damage to the organization’s reputation.
- Adapt to the ever-changing threat landscape by ensuring that security systems and procedures are regularly updated. This may include using analytical tools to identify potential security risks and performing regular risk assessments.
- Collaborate and share information with other organizations in the industry to help improve cyber security across sectors and borders. This may include participating in industry collaboration or establishing a formal collaboration agreement with other organizations.
Get involved in BCAW 2023 – follow the link below: