Cyber Security Demands There Must Be No Glass Ceiling For Innovation And Training

Some 54 per cent of boards view cyber risk as a primary threat to their business, which was up from 49 per cent last year. But on the other hand it was found that 69 per cent do not receive comprehensive information on that risk.

It came as no surprise when major news organisations reported that "Firms must 'urgently' improve cybersecurity" in the face of the increased frequency of online attacks.

Their reports were prompted by publication of the government's Cyber Governance Health Check Report - a snapshot of cyber health among the UK's top 350 companies.

The bad news from the survey was that 68 per cent of board members are not trained to deal with the fall-out from cyber incidents. The good news was that awareness of the risks is increasing. Some 54 per cent of boards view cyber risk as a primary threat to their business, which was up from 49 per cent last year. But on the other hand it was found that 69 per cent do not receive comprehensive information on that risk.

It was also worrying to see that only one in ten boards has a plan in place to respond to a cyber incident. Although Matthew Hancock, the government's Minister of State for Digital said it was positive that decisions about cyber risk are increasingly being taken at board level, he stressed that "cyber maturity" among companies needs to improve at a faster rate to ensure they can meet all the threats all of us will surely face.

Cyber is not all about the top people

Yet as we know, it's not just at board-level where cyber risk is being underestimated. Earlier this year Glasswall conducted a survey of employees that produced some alarming results. Despite the fact that document attachments are the most prevalent form of successful attack, we found alarming levels of complacency among employees and a lack of direction from their employers.

Three quarters (75 per cent) of those surveyed recognised that they receive emails that are suspicious, yet 62 per cent admitted that they open attachments from unknown sources without checking their legitimacy.

This willingness to open files without having them checked for malicious code rises dramatically to more than eight-out-of-ten (83 per cent) if the employee thinks the email and attachment has come from a colleague, supplier or customer. Familiarity can be lethal to an organisation's cyber defences, given the increased use of spoofed emails that are put together to look as if they are from a trusted acquaintance or supply chain partner, often using phoney invoices or receipts. The employees most exposed to these types of attack, not surprisingly, are in accounts. Four-out-of-ten suspicious emails and attachments are targeted at accounts staff using malicious invoices, while delivery notes made up 30 per cent and presentations, 27 per cent.

The need for boards to back innovation and training

There's really no need to go on with this litany of vulnerability. What needs to happen now is for boards of directors to review their security architecture and rather than putting more and more money into post-attack mitigation and clean-up, immediately deploy new technologies capable of closing off the most vulnerable threat vector - the transfer of documents.

Security needs to be taken to a new level because the barricade approach in which you stack layer after layer of protection at the border of your business is not working. You cannot stop all email traffic - it is essential for the conduct of business. But if you don't know what to watch out for because criminals are constantly redesigning pieces of malicious code and how they are disguised, your organisation will become yet another cyber-attack victim.

Innovation is now the key, with technologies such as Content, Disarm and Reconstruct, a process defined by Gartner, becoming the de facto standard in the era of the advanced persistent threat (APT), Fancy Bear and the zero-day attack. All companies need their boards to drop the idea that we cannot defend ourselves properly and have to concentrate on damage-limitation.

We need proper training for employees at all levels, along with technology that focuses on delivering documents that are 100 per cent clean, having been matched against the manufacturer's original design.

Of course we must make due allowance for the harmless alterations that almost always affect the sorts of files we use every day. But most successful cyber-attacks penetrate an organisation's defences with documents conveyed by email and a click from a busy, distracted or poorly-trained employee. It's there that we should focus.

If we are more innovative and provide better training, we certainly can defend ourselves against the incredible diversity of threats.