The two biggest security threats of 2016
In 2016, companies on a global scale will be more exposed to security threats than ever before.
While 2015 was a high-risk year, we somehow managed to get through it unscathed, either by good management or simply good luck. However, in 2016 we face two single security threats that have the potential to financially cripple businesses if the proper risk management strategies are not in place.
Terrorism and cybercrime will dominate in 2016 as the two largest security challenges facing organisations and businesses of every scale.
You might think your business is too small to be hacked, but times have changed and cyber criminals are now turning their focus on small to medium sized businesses as well.
In 2011, according to a report by Verizon Communications Forensic Analysis Unit, 72% of the worldwide data breeches that were analysed happened at companies with 100 or fewer employees. That said, this news is not all bad. While risks are increasing, there are more and more tools and resources dedicated to security, especially those that show us how to best manage increased threat levels.
When we look at terrorism and cybercrime and how they impact businesses, we’ll soon learn why 2016 doesn’t have to be a cloud of doom and gloom provided you have the right risk management procedures in place.
72% of the worldwide data breeches that were analysed happened at companies with 100 or fewer employees …
Terrorism
High Consequence – Low Probability
It is evident that terrorism is getting considerable traction both locally and overseas.
The “men in black” know how to grab the world’s attention. With incidents like those that occurred in Paris on November 13, it is clear that ISIS/ISIL are masters at spreading fear.
Locally, our terrorist alert level is set at “probable” according to the National Terrorism Threat Advisory System, with no expectation that it will fall below the current level any time soon.
A popular consensus is that Australia will experience a serious terrorist incident at some stage. This might have already occurred if not for the amazing work of our state and federal police forces.
While the consequences of a terrorist incident occurring in a business building would be devastating, the probability of it happening is relatively low. That is not to say that the threat should be ignored; quite the opposite. I would encourage all businesses of size and profile to at least evaluate the risks of an incident occurring, if nothing else.
Terrorism is growing at an alarming rate.
According to the Global Terrorism Index 2015, there were 3,329 deaths attributed to terrorism in 2000. In 2014, that number was 32,685, with people from Iraq, Nigeria, Pakistan, Afghanistan and Syria making up nearly 80% of all fatalities. Sixty-seven countries suffered at least one fatality from terrorism in 2014 including Australia, with four fatalities.
As a result, Australia is now ranked 59th in the world by the Global Terrorism Index.
According to the Global Terrorism Index 2015, there were 3,329 deaths attributed to terrorism in 2000. In 2014, that number was 32,685 …
For those of you that live in Melbourne and attended the cricket over the summer at the Melbourne Cricket Ground, you may have noticed the increased security measures in place. They are there for a good reason and highlight the changing nature of our local environment.
So how does the threat of terrorism affect businesses?
One of the aims of terrorism is to disrupt business and the broader economy, which leads to uncertainty in the marketplace. Markets react poorly to uncertainty, and such uncertainly has both direct and indirect economic impacts on businesses. For example:
- Undermining consumer confidence
- Reducing productivity because of higher security measures
- Negatively impacting consumer engagement
- Providing real or perceived barriers to entry
- Worsens the consumer experience
There are many things businesses can do to minimise their workplace risk and help protect their businesses by this security threat. These steps don’t need to be overly intrusive, expensive, or invasive and often come down to increased awareness and common sense. For example:
- Perform a security risk assessment.
Most of us will understand basic security measures but won’t have the knowledge to be able to identify many risks that exist in a business. You are probably going to need some external help with this. - Backup your data.
Have a separate, secure hard drive that your important files are copied to every day. These backups need to be kept in a secure part of the building that is conditioned and clean. Anything of importance that is not digitally backed up such as personnel files should be kept in secure, fire resistant filing cabinets. For smaller business, backup your data to secure, off-site storage or take your hard drives home with you. - Invest in a disaster recovery plan.
This will be a document that outlines what will happen in the event that business operations are seriously disrupted. Its intent is to keep the business functioning and restore normal operations as soon as possible. It will likely detail how communications will be maintained, where staff will work from and any specific tasks that key staff members will need to undertake during the period of disruption. It will also have a list of emergency contacts that could assist the business at short notice. - Prepare your teams on how to react in the case of an emergency.
This is common in very large businesses where drills are performed regularly. For smaller business it is something that is often overlooked but is equally important. Document exactly what staff need to do in an emergency and then post it in staff areas so it is easily accessible. And train your staff so they know and understand the plan perfectly. - Be vigilant and aware of what is going on in and around the workplace.
This is probably the most important thing we can do as individuals – be observant. Take notice of the unusual, the extraordinary, the person or package or bag that just seems out of place. And if you have real concerns, question the situation, either directly or through a superior. - If you have security staff on site, get them re-trained.
What they have been trained on in the past is longer appropriate or good enough. They need increased levels of awareness as the local threat level changes. Review with your service provider the role of the security officer and your expectations of what they can provide you. Can the service provider actually meet your expectations? You might be surprised at the answers you get.
Cybercrime
Low Consequence – High Probability
Cybercrime is going to affect many businesses in some form or another this year.
With our reliance on technology, it is inevitable that most businesses will no longer be immune to cyber security threats, particularly as the digital environment continues to grow exponentially.
It is estimated that cybercrimes cost global businesses a massive $445 billion on an annual basis (McAfee, 2014). And it’s not just large corporations that are at risk. Small to medium size businesses are a growing and ideal target for cyber criminals because unlike big businesses, small enterprises have less resources and expertise in risk management. They are traditionally not as well prepared as larger organisations are.
Small to medium size businesses are a growing and ideal target for cyber criminals …
Forbes estimates that 60% of SMEs that experience cyber attacks are out of business “within a year.”
Cyber attacks are far more covert than terrorist attacks because they can be initiated from the other side of the planet. There is no graphic footage to show on the evening news nor is it easy to identify a group or organisation that is responsible. A cyber attack can be initiated from anywhere at any time and will come without warning.
Cyber crime is a different form of terrorism.
Terrorist attacks will strike mainly at high-profile targets that will maximise media airtime. Cyber attacks on the other hand, will target a business’s information and financial systems with the aim of defrauding or paralysing an organisation. It is a far more covert form of terrorism.
For businesses, the outcomes can be equally devastating in many forms. For example:
- Financial losses
- Loss of intellectual property
- Inability to trade
- Reputational damage
- Compromised business data
Cyber attacks don’t make the evening news because no one knows they occur, however, the impact on a business’s ability to trade could be equally as damaging.
We have such an enormous dependence on information technology and many businesses simply could not function without their business systems operating correctly. Simple tasks such as selling goods and collecting income could become impossible after a successful cyber attack.
In the UK, there were 5.1 million estimated cyber crimes and related frauds last year.
This is a good indicator of the size of the problem. And it’s a growing one. What steps do you need to take to start managing your level of risk?
How You Can Better Manage Your Risk – Questions To Get You Started
We all manage risk in some form. The challenge in business is to be able to identify risk in the first place. When evaluating your business for any security threats, you can get started by asking these questions:
- What unexpected event would severely impact the business?
- How might it occur?
- What would be the consequences if it did occur?
- Where are we most vulnerable?
- Who would have the capabilities to target us?
- Why would we be a target?
- When is it most likely to occur?
Is your business ready to deal with the cyber and security challenges that 2016 will bring?