5 ways you could be inviting a cyber attack

by Bita Taghavi-Stevens

What’s going to cost the world $265 billion by 2031?

Ransomware.

In 2021, the average cost of a ransomware attack for businesses was $1.85 million. And the 32% of businesses that paid the ransom only retrieved 65% of their data. Add to this the fact that cyber criminals can penetrate 93% of company networks, and the prognosis looks grim.

So what’s the answer? How do you mitigate this constant threat?

Most businesses think that the solution is to invest more heavily in tech and recruitment. And, to some extent, it is. But past a point, better cyber security doesn’t come down to funding or technical competency.

The reality is that weakened cyber security is often a reflection of organisational weaknesses or oversights; systemic and cultural problems that leave you exposed to cyber attacks.

Here are 5 ways you could be inviting a cyber attack – and what to do about it.

Are you a cyber security leader? Register now for one of our free-to-attend, expert-led Cyber Security Masterclasses.

 

1. Assuming your employees know how to react

 

Cyber Security is constantly evolving, and as most hacks are the result of human error, getting this wrong can cost you dearly.

Giving employees a few days of training and assuming it’ll stick is a strategy destined for disaster. Not only are they unlikely to remember everything, they’re also unlikely to have cyber security at the forefront of their mind, leaving you exposed to attack.

Act now: Refresh your employees’ cyber awareness with training at least every 4-6 months. This will sharpen their skills and keep them up to date. It will also serve to instill the idea of constant vigilance. Then you need to test them.

Sending fake hacking emails or setting up simulated ransomware attacks is an effective way to see how your staff would react to a real cyber attack. Apart from giving employees the opportunity to trust their instincts and use their training, you’ll also be able to see exactly where the gaps are for improvement.

 

2. Not auditing regularly

 

Just like employee training, your cyber security systems and protocols can’t just be implemented and then left. Without regular auditing, how do you know your backed up files haven’t been corrupted? How do you know whether passwords have been compromised?

Good cyber security is hugely dependent on being alert and vigilant. Buying the right software and hiring the right people only works if you check, check, and check again. If you don’t, you’ll be making yourself more vulnerable.

Act now: Regularly and systematically review your policies. Check your systems, software, cloud solutions and servers to ensure you’re as secure as you think you are. Then check your recovery process. Accessing and downloading your backed-up files will allow you to see how your recovery would work in case of a breach.

Check any IoT smart devices so that you know exactly what data they’re collecting and if they could be exploited. It’s also a good idea to update passwords – particularly if any devices have been lost or stolen.

 

3. Overlooking invisible systemic risk

 

Systemic risk has the potential to bring down and expose an entire system – in this case your IT networks and data. It’s been described as something which is ‘there when we see it’. Naturally this means we often don’t see it until it’s too late.

Invisible systemic cyber risks are everyday business decisions that could have disastrous knock-on effects for your cyber security. For example, a seemingly small decision like not shutting down a server for patching will increase the chances of a breach – and give you a false impression of how secure your business is.

Act now: Include invisible systemic risk in your cyber security strategy. Make it part of your checks, audits and reporting. By communicating the dangers of invisible systemic risks and including it in your protocols, you’ll increase awareness around IT decision-making and impacts. This in turn should reduce shortcuts and potentially dangerous oversights.

Our knowledge-exchange Masterclasses are designed to address your biggest challenges. Click to see our full list of Cyber Security events.

 

4. Failing to build a holistic approach to cyber security

 

In many businesses, cyber security is simply not on the radar of anyone outside the security department. This idea that cyber security is solely down to CISOs, CIOs or anyone with security in their title, is both wrong and dangerous.

Cyber security needs to be viewed as a whole business operation; you need an all-in mentality. Without it, you’ll be more exposed to threats. For example, if a marketing director wants to invest in a new app, they’re unlikely to be thinking about security readiness as a requisite. Leaders and employees need to know the potential security impacts of their operational and strategic decisions.

Act now: Connect the dots between cyber security and all other business operations. By putting it in context, you’ll be able to show everyone from the C-suite down how seemingly innocuous actions can have an adverse impact on cyber security. This will help your leadership team to consider security as a key factor in all of their decisions.

 

5. Implementing cyber security as defence

 

Defence, by nature, is locking down. Battening down the hatches. Saying no to anything which may be considered risky.

Of course, cyber security is defensive – that’s the whole point after all. But it’s important that it’s viewed and implemented as an ongoing function of your business, rather than a defence mechanism.

When it’s seen as purely defensive, you create a cultural disconnect between cyber security and the rest of the organisation. And this could prove to be counter-productive. For example, a CISO might block the implementation of a crucial digital application due to security concerns without considering the balance of risk vs business outcomes.

Act now: Again, this is about creating a holistic approach and connecting the dots between cyber security and the rest of your business operations. You need to move away from cyber security being seen as an isolated department with the sole concern of defending at all costs. Instead position it as an operation that balances the need for protection with the need for business functionality and growth.

 

Despite the advances of security software and tech, the truth remains that the majority of hacks and breaches are the result of human error. And as we know, this isn’t always as obvious as opening a phishing email, sharing passwords or connecting to unsecured WiFi. It’s often a more simple case of not considering security when making business decisions – or thinking about cyber security as something that ‘just happens’. The only way to close these gaps is by taking a holistic approach to cyber security to ensure it’s a fully integrated aspect of your business – one which everyone is invested in.

 

From uncovering security gaps to integrating your strategy, our Cyber Security Masterclasses will help you find the solutions you need. See our full list and register here.

With special thanks to:

More from