It is hard to get away from the presence and scale of the cyber security threat. The mainstream and social media are full of stories of companies who have been hit by a data breach, but there are many more you will never hear about.
TalkTalk and Sony hit the headlines worldwide in 2015, but the US National Guard, Harvard University and Blue Cross Blue Shield also lost the personal data of millions of their employees and customers.
Beyond this are literally thousands of smaller organisations who have suffered data breaches that they will never make public for fear of the impact on their reputation.
Here in the UK, government figures from the Information Security Breaches Survey 2015 indicate that the average cost of the most severe online security breaches for big business ranges from £1.5 to £3.1 million and for SMEs the cost averages from £75,000 to £311,000. The same survey also shows that 90% of large organisations and 74% of SMEs reported they had suffered an information security breach during the year.
So the scale of the threat is vast and growing, but even more important for corporate security professionals to note is that the nature of the threat is also changing. Firstly, as the profits from cyber crime have grown, so it has attracted the attention of more organised groups with more human resources available to them, including governments, organised crime and even terrorist organisations. Secondly, as the technology response to the cyber threat has become more sophisticated, with robust firewalls and virus monitoring software now standard, cyber criminals have had to find new ways past corporate perimeter security.
The increased difficulty of breaching perimeter security and the increased human resources available to cyber criminals has combined to produce a new point of attack. This point of attack is focused on the weakest link in the corporate security chain, human beings rather than technology. The UK government data confirms this, pointing to 75% of large businesses and 30% of small business who have suffered staff-related data breaches in the last year.
This is what used to be known as the “insider threat”, but that inadequate terminology suggests complicity by employees in cyber crime, which is usually not the case. Instead a more appropriate new term has been coined to describe the threat, which is “social engineering”. Social engineering has been described as an attack vector that relies heavily on human interaction and often involves tricking people into breaking normal security procedures. It is also defined as the art of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical cracking techniques.
Head of Cyber Security
The full version of this article first appeared in City Security Magazine – Issue 60 – Summer 2016.