Non-governmental organisations (NGOs) and the healthcare sector are the ‘least prepared’ and most at risk of cyber attacks according to a new poll by the Sainsbury Management Fellows (SMF) business research panel – 25% percent of respondents named NGOs while just over 22% identified the healthcare sector. The next highest at-risk sector named was agriculture/agribusiness with 16%.
It is perhaps not surprising that healthcare ranked highly given that just a few months ago the NHS was given a dose of vicious ransomware sent via its email systems. This fooled some staff into opening attachments which spread a virus across some parts of the network. This attack raised a heated debate about the robustness or otherwise of NHS computer systems, though a government spokesperson said that 97% of the NHS was unaffected.
If the SMF panel’s view that the agriculture/agribusiness is a high-risk sector, it doesn’t bear thinking about the consequences of a breakdown in the food chain. An attack on the complex and interwoven food production processes, from growers to production and retail, could lead to food shortages in just a few days, impacting consumers directly as well as major institutions, such as schools and hospitals, which feed children and patients respectively.
Many organisations don’t feel the need for greater security
The majority of the SMF panel agreed that many organisations don’t feel the need for greater cybersecurity because they believe they have bigger problems to worry about, or that they are too small, too large or too important to be affected.
If the panel’s perception is accurate, these organisations need to be mindful of the findings of a leading security report which recently warned that ‘financially motivated criminals continued to innovate in 2017.’ The Flashpoint ‘Business Intelligence Report’ 2017 mid-year update identifies heightened threats from cybercriminals as well as ‘severe’ and potentially ‘catastrophic threats’ from China, North Korea, Iran, Russia and Jihadist Hackers. The report defines a catastrophic attack as:
‘Having the potential to cause complete paralysis and/or destruction of critical systems and infrastructure. Under such circumstances, regular business operations and/or government functions cease and data confidentiality, integrity, and availability is completely compromised for extended periods.’
According to Flashpoint, a notable trend in 2016 was cybercriminals targeting of healthcare organisations as a means of obtaining sensitive and exploitable personally identifiable information. Business email compromise is an area of rapid growth, with newly-released statistics finding that the various iterations of the scheme have led to some $5.3 billion dollars in losses globally. Overall, cybercriminals have continued to evolve in order to circumvent additional protections and new technologies designed to reduce fraud, such as EMV chips in payment cards.
Best Prepared Sectors
Perhaps unsurprisingly, the poll identified the military/defence and computer/technology sectors as the best prepared to deal with potential cyber attacks. Over half (56%) chose the military, with 16% of the votes going to computer/tech and 13% opting for the financial services sector. No other sector scored more than 4% of the total vote. Almost one-third (31%) said that they felt that organisations in these three sectors recognise that cybersecurity is important and are ready to deal with such challenges because they believe that lives depend on it.
Value of Organisation/Corporate Data
Almost two-thirds (66%) of those polled believe that most organisations don’t understand the value of the data they hold, making them vulnerable to serious attack and consequential future loss for their business.
SMF Panel Commentary
These comments highlight concerns:
- “Most companies don’t organise their data well and therefore fail to see its value, especially to others who do.”
- “Companies that don’t monetise the data they hold don’t understand the value. Some may hold a lot of data but don’t exploit it for commercial gain so are not aware of its potential value.”
- “The value depends on how the data is used. A lot of data that is not seen as valuable by companies could be very valuable to a malevolent party, for example, personnel records.”
- “The data one company holds might have a lot of value when combined with another company’s data.“
- “Data-mining can make mass data useful as opposed to individual or the data one company holds might have a lot of value when combined with another’s [data].”
Panel member David Bell from Rolls Royce points out that as cybercrime is a relatively new phenomenon, it is taking some time before organisations act to tighten up their data security. He said, “Awareness of cybercrime is on the rise; many organisations are yet to fall victim of an attack, targeted or otherwise, and so are under-prepared and vulnerable. Shareholder pressure can cause organisations to focus more on revenue-generating activities and less on cybersecurity as, until more recently, there has been little cause for concern. Many organisations are only coming to understand the value of their data if it were to be subject to a ransomware attack.”
One panellist who felt that organisations do understand the value of their data still highlighted problems of preparedness: “Most companies do understand the value of their data, and in the last couple of years have realised they are potential targets for attack. However, it is not only the technical defences but also employee awareness and education that need to be put in place. These take many years to develop and build in large organisations and require regular and systemic support and understanding. The technical proficiency of many UK leaders/boards is quite low so they have been very slow in reacting and developing policies around this area.”
SMF James Raby agrees on the latter points: “There is indeed a learning curve for most organisations but the increasing number of high-profile and debilitating attacks across a diversity of organisations, from telecoms companies to the NHS, means that all organisations must make cybercrime a top priority. This requires senior management commitment together with technical experts who can develop appropriate and evolving anti-cybercrime strategies.”
Another panellist said, “The cyber landscape is rapidly evolving and bringing with it new data technologies, risks and opportunities. In this context of complexity, the value of organisational data is often not well understood. This has significant implications for cyber attacks – companies are often failing to protect their most valuable data or leverage data that can support cyber defence. In order to understand the value and take appropriate action companies need to invest in a cyber ambition, strategy, roadmap and culture that builds appropriate data ownership, capabilities and processes.”
The overriding perception from the SMF business research panel is that most organisations are simply not doing enough to protect their operations from cybercrime at the moment and are in danger of ‘closing the stable door after the horse has bolted’. One panellist summed it up nicely saying, “Information is the lifeblood of a profitable business; like the air we breathe, one takes it for granted until it’s gone.”
If you would like to join the SMF Business Research Panel, please email the SMF Office with your details.