Cyber War and the Implications for Organisations
For as long as companies and their consumers have become increasingly dependent on the internet to conduct business, there have been growing concerns regarding their vulnerability to malicious online attackers. Malware attacks, DDOS attacks or stolen personal information are valid threats to websites, and they are among some of the reasons why an increasing number of businesses are looking into responsible methods of protection.
Last year, Equifax, a consumer-reporting agency, revealed a data breach in which the personal details of over 146 million people in the US were stolen, including names, social security numbers, driver license details, and even credit card numbers. Of course, not all businesses will have to protect themselves from such potentially devastating criminal activity online, but it is relevant to point out how companies now have a greater responsibility of protecting themselves and their consumers, to build and maintain online trust and reputation. Other companies in the past have also fallen victim to data breaches, but IT experts claim that they are preventable through a layer of simple security measures. This can mean something as simple as segmenting a company’s network that would limit the damage an isolated attacker can do.
However, greater responsibility does not merely mean passing security to a dedicated IT team; it is as much a business risk as it is a cyber-threat. Businesses in Hong Kong have shifted their mindset to reflect this change in recent times by incorporating security into company policy, and training all employees with some basic practices to keep data safe online. Last year, a cyber-security report showed that 50% of Asian organisations experienced a security breach at least once a month; a side-effect of users moving towards a digital age where a variety of devices require security, including phones, tablets, and PCs. We should bear in mind that this is a double-edged sword because technological progress also favours the hackers, who have more powerful tools to do their damage.
Incorporating a successful cyber-security policy implies briefing all employees on the potential dangers they may face when handling data and work online; such as highlighting key points that cover some basic principles. A policy does not need to be an extensive and comprehensive manual of dos and don’ts, but it needs to address the policy objective, like protecting customer personal data, the security controls in place and the responsibility of staff on how to treat sensitive data, as well as the protocol of using company devices and working on personal devices from home.
One example of a comprehensive cyber-security policy is the one implemented by the NHS (the National Health Service in the UK), which was put in place after they were attacked by ransomware, jeopardising patient data that was not backed up. The new policy in place goes into explicit details of each area of security such as backing up data, encryption, network security and how staff should handle data. Since the unfortunate attack, the NHS now has a much more secure network and dedicated backups to ensure patient data is protected.
Cyber-security as a whole is a team game, and in many cases, businesses that fall victim to attacks are ones that ignore basic advice from IT professionals; for example, failing to create backups or segmenting a network. Companies need to incorporate a secure cyber policy to reflect the new role and responsibility they have towards consumers in the new online environment in a digital age.
Written by Edward Mah for Together Abroad