Written by GRC Practice Director, Alex Hollis
There are generally two types of security:
- Digital (cybersecurity)
It used to be that you could lock the doors and everything would be safe. But as more businesses shift their operations online, digital risks are becoming more prevalent. According to research published by The Economist Intelligence Unit, over 74% of organizations believe they will encounter a serious cyber-attack within the next three years, expecting their ICT systems, telecommunications, industrial and financial networks to be the most targeted.
But that’s not to say physical security is no longer relevant; it absolutely has its place, we’re just not seeing the same level of attacks. In today’s world, it’s rare to hear about a physical bank robbery where masked men storm the building demanding to be shown the vault.
Cyber attacks are a growing threat
The data is clear; digital attacks are on the rise:
- Last year ransomware attacks increased by 2,502%.
- IoT attacks were up 600%.
- 1 in 13 web requests lead to malware.
- 95% of all attacks on enterprise networks are due to spear phishing.
- Nearly a third (31%) of organizations have experienced cyber-attacks on their operational technology infrastructure.
So why are cyber attacks increasing at such an exponential rate?
The Threat Triangle
In the physical world, you need all three elements to be present. For example, the bank robber might need a gun to scare the cashier (capability) into giving him money (motivation) out of the vault (locality). With security risk, we talk about the Threat Triangle.
With the Internet now a part of our daily lives, everything is better connected in the digital world. This benefit of convenience for your legitimate users also has made it convenient for all those who seek to threaten your organization. You’ve eliminated the need for ‘locality,’ which makes cyber-attacks less risky for those threats to breach your organization.
70% of organizations believe their security risk has increased significantly over the last year. Source: Ponemon Institute
Everyone is a target
There are certain sectors that require stringent physical security measures. Banks, schools, airports, and museums, for example, all need greater security measures because they’re protecting something of high value – money, our children, national security or priceless artifacts.
But in the digital world, everyone is a target, however small you are. In a previous white paper, we discussed the monstrous problem of third-party risk. The challenge with third-party risk is that you can have the tightest security measures in place to protect your organization, but a small supplier can leave you dangerously exposed.
The US retailer Target lost the details of 40 million credit and debit cards through its heating, ventilation, and air conditioning (HVAC) system, which connected to the Internet for remote monitoring. Hackers exploited the vulnerability of the small third-party HVAC contractor, stealing Target’s login credentials and gaining a foothold in its payment systems.
Lock it down
For the last seven years, we’ve specialized in governance, risk, and compliance (GRC) and it’s always amazed us that people continue to think about risk in terms of silos. A risk doesn’t know that you’ve categorized it as operational, financial or security and therefore sits neatly in a little box. Risks will span different departments across your organization, and then beyond to your third-parties.
This year, SureCloud has presented at several industry conferences, including the Gartner Summit and ISF World Congress, about why it’s essential to integrate business risks and IT risks – because the only way you can ensure your organization is truly protected is to take an integrated approach to risk management.
For anyone that was unable to attend the conferences, we have recorded a webinar to explain integrated risk management in more detail and shared a framework to help you enhance your security measures.
The webinar is available on-demand through BrightTALK here.
Alternatively, if you have a specific question about your security risk, you can contact my team directly through firstname.lastname@example.org.