web and mobile fraud
Businesses are now 'cyber prepared', but attacks increase in sophistication
More businesses are ‘cyber prepared’ but attacks are increasing in sophistication, according to the latest resilience report from the Business Continuity Institute (BCI).
Almost 90 per cent of respondents to the BCI report which examines the disruption levels and cyber resilience arrangements across organisations as well as the reporting and role of senior executives in the development of cyber resilience strategies, say their organisation has business continuity (BC) arrangements in place to deal with cyber incidents to mitigate financial losses.
While this year’s report sees 74 per cent of respondents noting an increase in the number of attacks within the past 12 months, it also finds that most organisations registered the impact of those attacks as small-to-medium in terms of scale.
Also, higher numbers of organisations are taking proactive steps to mitigate the impact of cyber incidents in order to reduce the impact on business with some organisations using dedicated tools to increase the chance of an early warning and a faster and more effective response.
According to the report, almost 40 per cent of respondents were notified by a security information event management system while 35.2 per cent received an anti-virus/end detection and response alert meaning that attacks are often discovered before business impacts are recorded.
However, 14.5 per cent of organisations discovered a cyber attack taking place as a result of a system outage, which obviously runs the risk of customer impacts and reputational damage, while also forcing the organisation into a more reactive and somewhat slower response.
The traditional methods of phishing remain the most frequent form of cyber attack, with the number of organisations reporting a successful phishing attack rising from 65.7 per cent to 72.4 per cent this year. It was also ranked as the most disruptive method of attack, particularly as their sophistication is becoming greater as cyber criminals work to eliminate the tell-tale signs of a phishing e-mail, such as bad grammar and other inconsistencies.
However, the BCI’s report also finds that cyber risks can still be siloed within organisations with IT teams not adequately communicating with the BC team about potential cyber risks. Therefore, the report concludes, there needs to be greater collaboration between teams in the face of this threat. This can be developed with support from top management, but also by continuing to train and exercise certain scenarios across teams to develop relationships and an understanding of roles and responsibilities that will be crucial in a live incident.
In order to build this resilience, the report finds that complex threats require a multi-faceted response. Here the report found that 64.6 per cent of organisations conduct exercises and 59.0 per cent of them initiate penetration testing.
Looking ahead, 74.0 per cent of respondents consider a ransomware attack to be within the top threats to their organisation over the next five years. While some 40 per cent of organisations have suffered financial losses of more than 10,000 euros as a result of cyber incidents in the last year, almost 70 per cent of respondents felt that they could now adequately respond to a cyber incident within the hour, showing a confidence in the effectiveness of their response and detection times.
Rachael Elliott, head of thought leadership at the BCI, commented: “The results of the survey outlined in this year’s report show an ever-evolving cyber security landscape, and one in which the number of attacks and their ferocity has increased markedly. With the classic attack vectors, attackers are becoming increasingly more intelligent in their approaches. Phishing e-mails no longer contain the spelling errors of yesterday and attacks have the potential to unleash damage to systems quicker than an organisation has time to react.”
Elliott continued: “Even if an organisation has the most advanced technology in place, attackers know that by approaching the weak link to cyber security within an organisation – the people – their attack will have more chance of success. Thankfully, we see training and exercising of staff in cyber awareness on the increase and, with the continued management attention now being paid to cyber security, we firmly believe that organisations are in a good place to stay one step ahead of the attackers.”
