Companies today have a multitude of risks to deal with, and each one requires its own measures of mitigation. However, certain risks remain top of the pile, according to a survey of operational risk practitioners across the globe.
The threat of data loss through cyber attack remains the top concern of those surveyed. Simon Campbell-Young, MD of Credence Security, says that data protection regulations such as GDPR and POPI are only adding to the pressure for risk and security teams to focus on this vital issue.
“Not only are regulations making data protection more important in the day-to-day operations of a business, they are providing hackers with a wider target base. Where banks and other financial institutions were the primary targets before, we are seeing an increase in attacks against other targets now that attackers know that these companies have to store all customer data in a specific way,” he says.
Campbell-Young says that while there are standard practices that most companies engage in, in order to protect their own and customer data, many forget that an active defence should also include penetration testing. Similarly, employing companies that specialise in threat detection goes a long way to ensuring a company stays safe.
“If an attacker gets into a company’s network, there’s the added risk that they can cause significant disruption, even if they don’t actually get to any data. Some hackers are merely malicious, not criminal. Their goal is to stop a business from being able to operate effectively; the prevalence of Distributed Denial of Service (DDoS) attacks shows that this risk is at least as big as the threat of data theft,” he adds.
In addition, an internal IT failure can cause just as much damage. “Whether a company’s systems go down because of an external attack, or just because of a technology failure, companies risk equal financial, reputational and regulatory consequences,” Campbell-Young says.
“This also applies to theft and fraud. Whether conducted by organised criminals or insiders, the consequences are the same. Last year, financial services companies alone lost $935 million to cyber-related data breaches and instances of fraud. In fact, over half those incidents involved fraud.”
He explains that all of these risks require specific ways to mitigate them, and that there are a number of tools that can assists security and risk teams in staying ahead of the threats. “A well thought-out policy is the first step to protecting assets, intellectual property, and information vulnerable to fraud. At its heart, the policy should manage the people that could access this information, as well as those that should.”
Insiders, he adds, are often the means through which hackers access a company’s data, and all too frequently this is because of ignorance rather than malicious activity. “Add to this the risk inherent in privileged accounts, and risky insiders can become the single biggest security concern for companies.”
This is why businesses are increasingly investing in Identity and Access management (IAM) and Privileged Account Management (PAM) solutions. “Companies must validate that all their staff really need access to critical assets and the conditions under which they require access. Logging and monitoring network activity is also something that network administrators should be doing to improve insider threat protection. There are a variety of tools available to baseline and monitor network activity, network data flow and user activity. Ultimately, keeping track of risks from inside as well as outside the organisation goes a long way to preventing the threat from becoming a reality,” Campbell-Young concludes.