Third of organisations unprepared for cyber incidents, says BSI
29 September 2020 | 0
Research by the cybersecurity and information resilience team at BSI has found that more than a third of organisations are unprepared for a cyber incident, with one in six highlighting that they have experienced a Covid-19 related data breach and cyber-attack in the past six months.
The research was conducted as part of a readiness to reopen and new hybrid office dynamic campaign to understand the levels of cybersecurity preparedness in the current environment. Respondent sectors covered banking and finance, food and retail, ICT and telecoms, manufacturing, and engineering as well as pharma/healthcare and medical devices, transport and logistics and professional services.
Across the globe organisations are adapting their working structures, staggering teams in the office, or working from home to adhere to government health guidance regarding physical distancing and employee wellbeing. This hybrid working model, a mix of office and home, presents a range of challenges, most notably around cybersecurity where the threat landscape continues to increase.
Stephen O’Boyle, global practice director for cyber, risk & advisory at BSI, said: “Today, it’s not a question of whether a breach will take place, it’s a question of how the business can manage it when it happens. Incident response is a critical component of defence should an attack take place, so making sure you are prepared is essential for the continuity and sustainability of the business.”
Readiness to reopen
Considering the changes to the way many organisations do business now, when asked how cybersecurity-ready organisations are to reopen the office, two-thirds were satisfied with new physical security measures that have been put in place; almost three-quarters (73%) said they their operations security measures were prepared; and a full three-quarters (75%) said they had prepared for changes to network security and security governance.
“Organisations should re-evaluate system changes to security operation functions that they may have made suddenly to get the business operating remotely when work from home was first required, and now determine whether those changes are still appropriate,” said O’Boyle.
“This includes network security as well as identity and access management (IAM) configurations. Similarly, security governance covering risk registers and corporate policies will need to be updated to align to the new operating environment, in the office and at home or an alternative remote location.”
“Business continuity and sustainability are areas where we are seeing growth in our consulting practice. Covid-19 has highlighted just how vital it is to have a robust plan in place that anticipates low likelihood or high impact eventualities and how best to deal with them. While 74% of our survey respondents are prepared to react to a disaster event, that left 26% who are not, and we would advise those companies to address this quickly,” said O’Boyle.
Hybrid office and shadow IT concerns
While the hybrid model is seen as a flexible solution to allow employees efficiently perform their daily duties while keeping them safe, it also generates potential cybersecurity risks if left unmanaged. Risks in this scenario are primarily based around loss of visibility of employee activity and data, employee susceptibility to phishing attacks, and employees using shadow IT.
BSI found that almost half of all organisations are unprepared for the implications of ‘shadow IT’ on their business in a hybrid office scenario. This is when an employee uses an unsanctioned cloud service, device, or software, for their work, which can often lead to an increased risk of a data breach. In a rush to enable the business to work remotely, IT teams may have put solutions in place that did not go through normal security governance lifecycle processes.
“We are witnessing cybersecurity risks and threats mounting daily and working from home may be causing additional employee fatigue, leaving potential for poor judgment when it comes to identifying risks and deciding whether to click on a potentially malicious link or attachment,” said O’Boyle. “The lack of governance and the haste to empower remote users creates opportunities for hackers as traditional security mechanisms can often be absent.
O’Boyle continued: “There is potential for data leakage through cloud services as well as the use of BYOD (bring your own device). The assurance over the security of the BYOD can be lost, and potential questions arise over ownership and access to data. Approved corporate devices are advisable that traditionally provide encryption, patching, Web filtering and anti-malware. For these reasons it is important that IT managers educate about data management and clarify shadow IT and BYOD policies.
“We encourage employers to carry out regular awareness training and education around cybersecurity risks. All levels of an organisation need to be aware of cybersecurity risks, especially senior management. The current environment we are living in has exacerbated the threats, meaning cybersecurity needs to be at the core of business decisions now more than ever.”