What risks are companies taking by not making cyber security jobs available?

In Information Security ByTeam Acumin / 10th June 2016

We live in a networked world. Banking, online shopping, emails and streaming services are just a few of the everyday activities that involve networks. What’s more, all these networks require cyber security experts to protect them.

Potentially all networks are vulnerable to cyber-attacks, which makes it vital that any company that manages a network needs to protect it by employing expert cyber security personnel.

Not employing enough cyber security staff means that a company risks becoming a victim of a cyber-attack, which can result in the loss of large amounts of money and damage to a company’s reputation.

Two types of attack

There are two main types of cyber-attack – stealing data and sabotage. Data that criminals target are personal data that can be used in identity theft crimes and financial data, typically credit card details, which can be used for fraudulent purchases. Trade secrets and inside information about mergers, bids and intellectual property can be useful information to sell to rival companies.

The typical sabotage attack is denial of service where a website is bombarded with bogus log on attempts, or messages that disable the system.

Sabotage to a system that controls a country’s infrastructure, such as energy systems, airports and hospitals, can have devastating effects on a country.

The price companies pay

The monetary fallout of failing to protect networks is high; it is estimated that cybercrime costs over £275bn a year to the global economy.

In the United States, many high-profile companies, including Target and Home Depot, have had their system breached and customer credit card information stolen. While the criminals did not take money directly from the companies, the reporting of these breaches made customers distrust the firms and stopped many from buying their products. Many security breaches have resulted in a fall in a company’s share price.

Other companies have directly lost money through cyber criminals stealing from their accounts. Another common form of financial crime is where a system is taken over and locked by a hacker who will only unlock the system in return for ransom money. These attacks, like other types of cybercrime, are often kept secret by companies who fear the bad publicity if they become public.

Although it is difficult to accurately estimate losses through ransom payments, it’s likely that tens of millions of pounds have been paid out to cyber criminals.

As well as the loss of customers, a cyber attack can result in punitive actions by industry regulators. It can also open a company to negligence claims from aggrieved customers. Company board members can be held responsible for the security of their networks. If systems suffer from cyber attacks, then the directors can be held liable for the failures. It is vital that all board members are aware of the company’s cyber security strategies and that they ensure that highly expert cyber security personnel are hired to protect the computer systems.

Cyber attacks that are reported in the media can be a public relations disaster. For example, the broadband provider TalkTalk angered customers after its system was attacked last year. Worried customers wanted to terminate their contracts with TalkTalk, but the company initially would not let them. This policy led to much criticism. It is estimated that 100,000 TalkTalk customers did leave the business and, for a time, TalkTalk stopped actively recruiting new customers.

Cyber attacks forecast to grow

Although governments and security experts are increasing efforts to combat cybercrime, it is forecast that it will grow. This growth is fuelled by the increase in the number of online services.

The largest area of technological growth is predicted to be the Internet of Things – a system for objects and devices to communicate with each other using machine-to-machine communication technology. Alongside this growth will be the need to increase cyber security jobs.

After a company understands the risks they face from cybercrime, then creating cyber security jobs makes financial sense. Money lost in a cyber attack is potentially far more than the salary of cyber security personnel. It is therefore false economy to cut down on cyber security jobs in order to make short-term financial savings.

Assess then plan

The Global Risks Report in 2015 warned that:

“90 percent of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber attacks.”

Governments are concerned at the lack of protection and are providing help and advice. For example, the Government Communications Headquarters (GCHQ) has published detailed guidance with its ‘10 Steps to Cyber Security’ information.

A company needs to employ sufficient cyber security personnel to formulate a two-step strategy. The first step is to create a risk assessment. This is followed by a detailed plan for protocols and procedures that will minimise risks.

The risk assessment needs to identify all areas in which a company is vulnerable. A set of detailed policies should cover all the security needs of the network. The best antivirus and malware software should be installed alongside advanced network security systems.

Policies ought to be created that cover individual workers use of the system including email, web browsing and the operation of their personal devices such as smartphones and tablets.

Users of a company’s network will need privileges based on their job role. Access to database administration systems should be provided for very few employees.

Cyber security personnel also need to make sure that the company’s systems comply with legal requirements. Most companies will already have policies to make sure that they conform to the Data Protection regulations. The European Union has also formalised its General Data Protection Regulation, part of which makes it compulsory to report any data breaches.

In a connected world, cyber security is an urgent issue. As cyber attacks are forecast to increase, every company needs to take precautions so that risks of attacks are minimised. This requires hiring the optimal number of cyber security personnel. If cyber security jobs are not made available, then companies are opening themselves to risks that could damage both their reputation and their profits.