Back To Cyber Basics: Debunking 4 Cyber Myths
With cyber attacks constantly evolving, SMEs must step up to protect and prepare against severe business disruption.
Cyber risk has become a top concern for organisations in all industries, ranking number one in Aon’s 2021 Global Risk Management Survey and fourth for clients in Singapore.
Cyber criminals were quick to capitalise on the move to remote work and online business during the COVID-19 pandemic. Ransomware attacks grew dramatically, increasing 400 percent from the first quarter of 2018 to the fourth quarter of 2020, according to Aon’s 2021 Cyber Security Risk Report. The report suggests that business costs associated with ransomware attacks could reach $20 billion this year.
Cyber insurance is just part of the solution to online attacks, businesses must be mindful of a company’s cyber wellness.
Organisations that lag behind often subscribe to a number of commonly held “myths” about where to focus their security efforts. These myths prevent the accurate assessment of risk and exposures and hamper the implementation of proactive measures to protect critical assets and successfully manage a breach when it occurs.
In this article, we outline four common cyber myths that are commonly seen across companies of all sizes across sectors in Singapore.
Myth 1: Cyber Is Merely an IT issue
The information technology (IT) department works full-time to implement, update, and maintain technology for the company and is expected to manage the associated risks. As cyber threats continue to increase, IT departments can easily become overwhelmed.
Reality: Cyber Preparedness Starts at the Top and Affects the Entire Organisation
Taking a comprehensive view of how cyber risk affects the business across various functions is the responsibility of the entire organisation. Executives, inclusive of the board of directors, must be familiar with the specific risk issues that affect their organisation’s security posture, especially regarding its most critical assets, or “crown jewels,” and then ensure the right departments are involved in devising a comprehensive strategy. This way, security is not only aligned with IT but also tied to the business and the executive leadership team.
Individuals are a critical first line of defense against attacks. Once phishing happens and there’s been a compromise to systems, it becomes an enterprise-wide issue. We can’t be too careful here – encourage employees to take a screenshot of any suspicious emails and provide it to IT.” Explains Andrew Mahony, Head of Cyber Solutions, Asia.
Setting the tone at the top helps create buy-in at the highest levels to assess the company’s exposure to cyber risk. This perspective also helps teams implement the necessary remediation and proactive cyber security programmes to guard against worst-case scenarios in the event of an attack.
Myth 2: Technology Solutions Are a “Silver Bullet”
While technology is clearly an integral part of effective cyber risk management, investments in technology alone will not fix the problem.
Companies may overlook the impact of human behavior – malicious or otherwise – on cyber security. Whether it is simply employee curiosity or carelessness, blind spots are often the weakest links in a company’s armor.
Reality: Technology Can Be a Part of the Solution – But It’s Not the Entire Solution
Companies need to not only verify that their technology profile is up to date but also implement and maintain their technology effectively. To minimise “insider risk,” any access to the company’s critical assets must be governed by strict processes and procedures based on the principle of granting privileged access.
Prioritising programmes geared to employee awareness, education and training is also an important step to address common, human-related vulnerabilities, such as malicious attachments in emails, phishing and social engineering tactics and weak passwords.
From IT, to legal, compliance, human resources, business innovation and other departments, it’s critical to create a multidisciplinary team that can assess, manage, and respond to risks within different departments and functions. Ultimately, even with the most sophisticated and advanced technology, a culture of security must penetrate the organisation.
Myth 3: Regulatory Compliance Equals Security
As seen most recently with the Personal Data Protection Act (PDPA) being passed in November 2020, Singapore’s regulators are stepping in to address consumer privacy and data concerns. While compliance with these regulations is necessary to avoid fines, lawsuits and other issues, compliance alone will not address cyber attacks or security compromises.
Reality: Regulatory Compliance is Only the Bare Minimum
Compliance provides a mere snapshot into a company’s security profile at a certain point in time, whereas effective security is a continuous process of improvement.
While regulators design regulations with effective security in mind, compliance requirements should be viewed as a baseline to support due diligence in cyber security. Compliance should not be seen as the end goal in cyber security but as an opportunity to improve overall data hygiene on an ongoing basis. Investing in compliance with cyber security regulations is also a chance to create additional security wins.
Myth 4: Only Industries that House Sensitive Data Are Under Direct Threat
Companies that hold sensitive data, including personally identifiable information (PII), health care data, credit card data and personal health information, are obvious targets for cyber attacks. However, across industries, all companies require protection of trade secrets, intellectual property and sensitive data.
Reality: Companies of all Sizes Across all Industries Have Vulnerabilities
Aside from the sheer growth of technology and increased entry points for breaches, malicious cyber actors have also shifted their focus. Increasingly, as recent ransomware attacks have demonstrated, attackers are exploiting vulnerabilities with the specific aim of disruption. For example, ransomware demanding a few hundred dollars from users is designed to wreak havoc, not necessarily extract the highest payments possible.
Cyber is evolving rapidly, so identifying where the risk lies can be a moving target. That’s why companies, especially SMEs must remain vigilant to prevent severe business disruption.
Step up your business’ cyber security today!