We recently undertook a research study amongst larger local business and public sector organisations on their views and opinions on cyber security. Very timely and topical in light of current GDPR legalisation being put in place.
Outlined below is the associated press release.
The well-documented attacks of Wannacry and Petya earlier this year and the constantly evolving cyber security threat has placed a significant strain on IT resources leading to businesses and organisations in Northern Ireland increasing investment and strengthening levels of protection against cyber-attacks.
These are the findings of a local new survey* of both the public and private sector recently conducted on behalf of BT Business in Northern Ireland.
Those who took part in the study revealed:
Additional investment has been made in security technology, tools and resources including staff awareness;
They are introducing more frequent patching cycles for legacy systems;
The issue of cyber security is discussed at board level as a business, rather than an IT issue;
Some have in-house security expertise while others use third party resources to protect their business or organisation;
All of those questioned, agreed that they were confident about their ability to deal with cyber security threats in the next twelve months, although they recognised the need to remain vigilant;
Despite that confidence, just over half of those surveyed said they had the skills they needed – in-house or otherwise – to deal with a cyber-attack.
Paul Murnaghan, Regional Director for BT Business in Northern Ireland said companies need to be fully prepared.
“As this survey shows, both the public and private sector face big challenges, not least the constantly evolving cyber security threat and for some, even if it was readily available, there is a lack of trained cyber security expertise to manage and deal with that threat. Understandably, not every firm can afford to have this in-house.”
*Research commissioned by BT Business in Northern Ireland, conducted by FN Research via a series of 10 telephone in-depth interviews from 9th – 20th October 2017. The respondent was the person responsible for the telecoms within the organisation.
The new BT Business in Northern Ireland survey also revealed:
Scale and nature of the threat
There has been a definite growth in the number and invasiveness of cyber security attacks in the last 12 months. All the organisations surveyed have defensive protection, including firewalls in place to scan emails and networks for threats or attack. Three organisations reported an actual cyber breach in the last 12 months – though these breaches were contained and no significant damage was reported, moreover changes were made as a result.
One respondent said: “Every month over 100 million emails alerts, abuse, threats are received. All have so far been successfully blocked by the organisation’s software.“
In terms of the type of attack, the biggest challenge owing to its ability to disrupt operations was ransomware. As one of those surveyed said: “Ransomware has the potential to be the most destructive, in terms of damaging company operations – although phishing has the potential to be the most lucrative for criminals.“ None of those surveyed had experienced denial of service, but all remained constantly vigilant.
Raising and maintaining awareness of the cyber security threat within the organisation was an ongoing challenge, as was encouraging staff to act quickly in the event of a breach, to minimise the potential for damage.
“We put a lot of effort into cyber security, but with people’s behaviour you can never be 100%.”
With IT seen as central to business and not just a support service, a further challenge cited by those surveyed was of their organisations increased reliance on IT, meaning any disruption to service from a cyber-attack would have a much greater impact on the overall ability to function. The increased connectivity of equipment within organisations has meant a greater exposure to cyber security threat throughout the whole organisation.
Compliance with the EU General Data Protection Regulation (GDPR) by May 2018 is a further challenge for a number of organisations as is finding a balance between systems security and end user accessibility while continual patching can create its own problems and disrupt service.
Impact on digital transformation
The cyber security threat has increased the cost of digital transformation as building in security from the start is adding time and cost to the systems development.
“We are in the process of procuring an online platform and it certainly is with security designed into the solution – whereas previously security may have been a secondary consideration.“
Obstacles to overcoming the cyber security threat
A lack of trained personnel was reported by most as an obstacle to overcoming the cyber security threat, with the continued growth of the risk increasing demand for scarce specialist skills. Organisations were also looking at external specialists to supply expertise as and when needed, recognising that it was not always possible or desirable to employ the skills in-house.
Investment in security
Investment in cyber security was increasing for all. In one case budget had doubled from two years ago. For most, despite increased investment, even more funding was needed. However, the increased spend on security, meant less funding for other IT development. “It’s increasing but needs to increase more! In the last 2-3 years the threat has grown significantly – it’s a different world. We need more armoury to fight it.“
Availability of skills and expertise
To some extent, all the organisations surveyed used third party suppliers to enhance their internet skills; all organisations engaged with security vendors and business partners for advice and consulting; all with the exception of one collaborated with organisations in their own sector while half worked with law enforcement agencies. “We have the skills needed in partnership – we will never have enough people so we reach out to the key strategic partners and they’re part of our defence and knowledge base.“
Potential impact of a breach on an organisation
For most organisations the main impact of a breach would be reputational – primarily as a result of lost customer data and / or service delivery. Financial and other commercial considerations were much lower down the list of potential impacts. As one survey respondent said: “The biggest impact in terms of access to systems and websites would be reputational damage. There would be a huge trust issue. There would also be major issues regarding disclosure of information and data protection.“
One of the biggest cyber security challenges for the future is finding a balance between adequate systems security and a workable end user experience.
Furthermore, in addition to their own security, organisations also need to ensure that third parties have adequate cyber security defences in place.
The growth of mobile, connected devices and systems will increase organisations’ exposure to risk – managing the pace and progress of digital transformation will become an increasing challenge.