Constant and camouflaged are the digital threats facing organisations in today’s online world. Cyber attacks in their many forms are now so ubiquitous, the UK’s National Cyber Security Council (NCSC) believes it is a question of when – not if – companies will one day find themselves at the mercy of malicious hackers.
Hyper-vigilance is the new order of business when dealing with all things cyber. A persistent problem requires a solution that is ever evolving, one which builds on the roots of a threat awareness protocol that is woven throughout the organisation. And there is no shortage of threats to detect.
Phishing, extortion, malware, ransomware, denial-of-service, web attacks, Trojan horses – to name but a few of the technological tentacles with the power to corrupt or compromise a company’s assets.
In its yearly survey of cyber security breaches, the NCSC found half of all businesses in the UK experienced some form of breach or attack in the last 12 months, with phishing being by far the most common type of cyber crime (84%) followed by others impersonating organisations or team members via email (17%).
Without ‘cyber hygiene’ measures in place, as they are now known, corporate information systems are left vulnerable to infiltration in which case criminals may access, alter, destroy, disable or outright steal personally identifiable information. What often follows is a snowballing effect whereby, once a cyber incident occurs and data is comprised, organisations are thrust onto the back foot in a matter of clicks.
These incidents will only become more commonplace, and so too the communications response must evolve. Companies affected should be proactive in notifying staff and stakeholders where it’s relevant to do so, before they themselves catch wind of a rumour or unsubstantiated allegation. At a base level lies the legal obligation to report any personal data breaches within 72 hours of becoming aware of them.
Managing this reputational risk is a fine line, of course. And the severity of any threat may vary. Scam emails, suspicious attachments, and unsolicited text messages are now the frequent bugbear of digital life and can generally be dismissed and reported as so.
However, research has shown that, time and time again, the most common reason for a cyber incident is the failure of basic security controls. When the firewalls and the encryption and the cloud back-ups are in place, but not managed effectively. Or worse, poorly understood by the staff navigating that digitised environment on a day-by-day basis.
Even smaller organisations will amass a considerable amount of data practically overnight. They may have a dozen or so suppliers; a large business will have hundreds. All that correspondence – the orders, the invoices and particularly any information that is personally identifiable – will need properly managed and protected.
Cyber security cannot be viewed as a set and forget policy. In a rapidly changing threat environment, it is critical that an organisation’s controls and procedures are checked regularly for vulnerabilities and areas where security can be strengthened. Companies must be proactive in embedding cyber security into the wireframe of every workplace, so that employees are educated on the latest threats and best practice when it comes to preventing fraud and cyber crime.
Not only are the dangers becoming more prevalent, but they are never far from the news agenda. Just last week, Ticketmaster became the latest large organisation to be targeted by hackers claiming to have stolen the personal details of 560 million customers.
Moreover, these threats are increasing in their sophistication with studies now showing that AI is being used as a tool to fool, with bad actors using the technology to improve the accuracy and wording of phishing emails to lure at scale. There is however another side to that coin.
Like all technology, AI can be friend and foe depending on who’s pushing the buttons. Generative AI, in particular, has the ability to enhance security in that it helps teams identify and respond to threats automatically so that attacks are instantly nullified before any damage is caused.
And, in so doing, ensuring a company’s defences matches the speed and proficiency of any cyber threat as they arise. That’s the approach needed in this ever-evolving digital landscape.
Caution is key, yes, but cyber security ought to be a constant of the new business agenda.
- Claire Aiken is managing director of public relations and public affairs company Aiken