A recent ethical hacking exercise targeting middle market companies has found serious deficiencies in cyber defences in all of the companies tested.
The hacking simulation, which was carried out by audit, tax and consulting firm RSM with the permission of the organisations involved, revealed significant weaknesses in the strength of the businesses’ internal controls.
In one instance, RSM sent more than 200 spoof emails asking employees to validate their staff login. Within minutes, 16 per cent of employees had followed the instructions and clicked on the link and by the end of the day this had climbed to 35 per cent.
The findings are backed up by the results of a new RSM survey which has revealed that 40 per cent of organisations admit they have been a victim of cybercrime, with over a quarter saying they have been hit in the past 12 months.
Worryingly, despite the high level of incidents, one in five firms that have suffered breaches have since done nothing to protect themselves against future attacks.
The survey also pointed to significant complacency with respect to data held with third parties. More than 60 per cent of respondents said they outsourced data hosting or handling to a third party, but over half of said they were not aware of the third party’s cybersecurity policies.
David Morris, a technology risk assurance director at RSM said: ‘The events of the last few days have shown just how disruptive a cyber-attack can be and how important effective defences are. However, our recent ethical hacking exercise has revealed some startling weaknesses in the defences of sizeable middle market companies that you would expect to be better prepared to withstand an attack. If we had been carrying out a genuine hacking attempt with malicious content, the business ramifications could have been catastrophic.’
‘Our survey has shed light on the ignorance and at times wilful complacency among some businesses with respect to the threat from cybercrime. Hackers are becoming increasingly savvy about organisations’ specific vulnerabilities, and can seek to exploit these weaknesses with targeted methods such as whaling or phishing.
‘A successful cyber-attack can lead to operational disruption, financial loss and reputational damage, so organisations must do more to plug their knowledge gap to protect their customers, employees and their future business.
‘Protecting customer data is also becoming increasingly important. New data protection rules which come into force in May 2018 will significantly increase penalties for data breaches. Failure to comply with the new General Data Protection Regulation, known as GDPR, could result in fines of up to €20m or 4 per cent of annual global turnover.’
Companies are encouraged to protect themselves against common cyber-attack methods which include
- Insider attacks: employees downloading sensitive or confidential data and selling it on
- Phishing: multiple individuals are targeted by a single scam. A blanket email is sent in the hope that some will reply with sensitive information, transfer funds or open rogue links or attachments
- Whaling: a small group of individuals with significant data access are targeted. A hacker poses as a senior company official and requests personal information, bank detail changes or a large funds transfer
- Ransomware: a hacker gains access to a system and takes it over. It holds the organisation to ransom by blocking system access until a substantial payment is made.
- System vulnerability exploitation; weaknesses in system controls, for example not patching systems with the latest security updates and uncontrolled use of open source software, can lead to consequential loss.