Hot on the heels of the WannaCry attack comes Petya, a new strain of ransomware that is wreaking havoc around the world, through locking down systems and denying access to data. Among the many businesses it has affected are advertising agency WPP, food company Mondelez, lawyers DLA Piper and transport firm Maersk.
Petya, which is believed to have started in the Ukraine, is spread via spear phishing emails. It also raises an important issue, with so many businesses now being impacted, should risk managers be re-thinking cyber awareness training.
Cyber risks cause CEOs sleepless nights
It is indeed an alarming thought that anyone with access to an organisation’s email could unwittingly cause a business so much chaos. But, it does appear that there is now far more understanding about cyber realities.
A recent report from the Business Continuity Institute and the British Standards Institution found that the number one threat affecting businesses is now perceived to be cyber. It found 88% of executives from 726 companies and across 79 countries said they are ‘extremely concerned’ or ‘concerned’ about the risk.
“Cyber-attacks and data breaches continue to cost organisations billions of dollars annually, a sum that is only likely to go up with the increasing integration of new pieces of technology into daily operations,” said BCI executive director David Thorp.
Understanding at all levels
Risk managers are likely to be highly cognizant of the risks and that the perception that only types of business are targeted is fading fast. Any firm is at risk and equally, while CEOs may be more knowledgeable, there needs to be understanding across the whole workforce.
While CEOs and those in senior positions now may be more savvy to phishing, there are still incidences occurring. Further, those in time-pressurised roles — such as lawyers, journalists and PR executives — who often receive urgent external emails, can easily be caught out.
A British problem?
Meanwhile, a survey has also found out that British workers in particular are often lax about IT security, and fail to protect their data and devices.
The Barclays’s Digital Development Index found the UK came a shockingly low ninth out of 10 countries, behind Brazil, China and South Africa in terms of their security awareness, which must only add to CEO anxieties.
Better training is essential
Certainly it makes sense to gauge levels of awareness – and this is something the US Department for Homeland Security did, when it tricked workers by offering free tickets to see US football team the Washington Redskins.
Employees who clicked on the email link and went to a ticket collection point found instead they had ‘won’ a compulsory cyber security-training course.
And MPs in the UK are now required to take security seriously, particularly when accessing emails from abroad. They must now also use two-step authentication and fingerprint scans on mobile phones.
Meanwhile, security provider Kaspersky provides some tips that risk managers may want to consider when it comes to training which include:
- Board members and IT departments in addition to everyone else should receive training
- Be clear on company obligations such as mobile phone use
- Encourage co-operation, avoid blame cultures
- Make training enjoyable, focusing only on compliance results in staff switching off
- Provide real-life examples such as of malware incidences and phishing emails
- Show what to do in an event of an attack, including if systems should be shut down and who will respond to the media
- Encourage staff to raise red flags if they have any suspicions, even if it is a false alarm
- Always invite feedback
Cyber security should be raised regularly – and as criminals adopt new methods, then businesses need to stay constantly informed. This is an area that requires regular investment and as those who have been affected would no doubt agree, you cannot have too much awareness.