Member Article

Cyber attacks: don?t think if, think when

Asam Malik is director at PwC in Newcastle and leads the technology assurance team for the North East. Here he shares his expertise on cyber crime.

Most organisations do not think that they would ever be the target of a cyber attack as they believe they do not hold any valuable information or that they are too small to be a target. Large organisations are more visible to attackers, which increases the likelihood of an attack on their IT systems. However, it is also true that small businesses tend to have less mature controls, and so may not detect the more sophisticated attacks.

The 2012 Information Security Breaches Survey (ISBS) conducted by PwC in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills also found that:

- One in seven large organisations has been hacked in the last year

- The average large organisation faces a significant outsider attack every week - small businesses one a month

In reality it is therefore not a case of “if” your organisation will have a cyber attack it is”when”. Businesses should be operating under the presumption that an attack is likely and be ready to respond. It is essential that businesses do everything they can to protect against these attacks but many organisations tend to do nothing, making them an easy target. At PwC, our Ethical Hacking or Penetration Testing teams carry out threat and vulnerability management for clients to identify weaknesses so they can protect themselves. In most cases, this can identify a means of getting access to a business’s system in a matter of hours. The implications of this are widespread, including access to personal details of employees, such as their salaries and bank account data, information on customers or valuable intellectual property. In some cases, people use these attacks to access the CCTV and phone systems.

If a business suffered a cyber attack and lost this kind of data, the reputational and financial damage would be significant. The average cost of a large organisation’s worst security breach is £110k-£250k and £15k-£30k for a small business. Customers too will begin to ask themselves if they would want to do business with an organisation that they knew had a security breach.

Cyber security is not only a technical issue, but increasingly a core business imperative. Faced with attackers who move quickly and unpredictably, businesses also need to be able to act and respond quickly and flexibly. Being prepared for a cyber attack is not just about having a good IT policy but good governance across the business. When attacked, businesses need to be able to rely on well thought through plans and respond assertively.

This was posted in Bdaily's Members' News section by Asam Malik .