According to a survey carried out by McAfee, the cyber security firm, the cost of cyber attacks will exceed $1 trillion for the first time partially brought on by more people working from home. Even more worrying is that only 44% of respondents to the survey have plans in place to prevent or respond to a cyber attack.
Let me throw another statistic at you from a different survey - the average cost of a data breach is $3.86m and at the other end of the spectrum the average cost to a small business when their bank account is hacked is $32k.
So what is the reason that companies fail to take sufficient measures when it comes to an issue as important as this?
According to Alex Blau in his (2017) article in the Harvard Business Review, decision makers treat cybersecurity as a finite problem that can be solved, rather than as the ongoing process that it is.
So based on the information that we have we know that we are more vulnerable than ever before, the cost to our organisation is substantial no matter at what level we operate at in the corporate world and yet we seem to be burying our head in the sand in the hope that we will not be affected.
What would be the impact on your business if you were unfortunate enough to have an attack? I have come across more cases in the last year where Accounts Departments have been targeted in a sophisticated way, some successfully. I was talking with the Managing Partner of a Law Firm who was targeted by a criminal over a three month period. They created a rapport with the accounts department and then picked a Bank Holiday weekend to try and get three invoices paid totalling £80k. They had cloned the Managing Partners email and sent instructions to the accounts department but failed to get the payments out because everything over €50k is verified with the relevant person by phone. Had the request been for a lesser amount they would have been successful. The Fraud Squad were called in and during the conversation they heard that a similar size firm to theirs had been targeted in the same way and had lost €75k to the criminals. This story did not make the news as the firm was embarrassed and afraid that its reputation might be damaged.
One of my own clients narrowly escaped losing €42k is a similar type of attack only in the last couple of weeks.
In business we assess risks all of the time and hopefully we put in place a strategy to mitigate against them. We have insurance cover and training procedures to protect ourselves but we seem to be disconnected when it comes to crimes of this nature. Hoping that we will not be targeted is not a strategy so we need to put in place the right response. I refer to the 3R’s, which are Recognise, Respond and Review.
Recognise that these threats are real, are becoming more sophisticated and more importantly more frequent. What level of risk do they pose and what measures do we have in place?
Respond, we need a robust plan and countermeasures in place. Do we have an updated training plan so that our employees are constantly aware of the dangers of such an attack and are we investing in the right expertise and systems to protect us?
Review - how frequently are we reviewing the situation, how informed are we on the latest threats and how often are we testing our systems to ensure our safety.
Unfortunately being disconnected in a connected world poses new challenges as we try to stay abreast of technology. Cyber attacks are a growing threat that need to be recognised and included in our Strategic Plan.