Blog Cybersecurity threats: Not just a tech problem
Businesses need to get more serious about the issue and consider implementing non-technical measures such as closer vetting of recruits and paying attention to the vulnerabilities of staff, two security experts said during the cybersecurity panel on April 7 at AIC 2016. “The least appreciated part of the cyber threat is the insider,” said Sir John Sawers, Chairman of Macro Advisory Partners and former chief of the British Secret Intelligence Service (MI6). He said that 80% of cyber attacks are perpetrated by insiders, most unwittingly and usually by senior personnel. There are always some with malign intentions, particularly when the organization is going through a major transition and staff may be aggrieved and want to cause damage.
Despite the prevalence of the insider threat, many companies are not doing enough to address the challenge, added Ben Wootliff, Managing Director, Hong Kong, for Control Risks, and a cybersecurity advisor to global corporations. “There may be awareness on the board, but they still see it as a technical problem of computers attacking computers, putting tech people in charge of it. They will see the technical solution as a panacea.”
The most effective approach to cybersecurity is to get all sides of the issue – the technology, security and the business people – in the same room, Sawers agreed. “You have to have buy-in across an organization to get cybersecurity right.”
There are of course other perpetrators of cyber attacks beyond the insider. These include nation states, criminals and “hacktivists”. Two recent examples of cyber attacks by hackers allegedly connected to national governments include the breaching of data held by Sony and the US Office of Personnel Management. According to Wootliff, cybercriminals are becoming more sophisticated, while hacking tools are more easily available. Criminals and activists are better able to target what data is valuable and then selling those assets, he said.
Countries, particularly the most cyber capable, should come together to discuss the rules of the road for cybersecurity and common responses to breaches, Sawers told participants. The level of dialogue so far “is so immature,” he lamented. “If we had a cyber equivalent of 9/11, everyone would jump into action. But I don’t want to wait for that to happen.”