Why Cybersecurity Can’t Be Ignored
Why Cybersecurity Can’t Be Ignored
Cyber-Attacks Are on the Rise
With the ever-growing reliance on technology, virtual connectivity, and a highly integrated business environment, companies today face the growing risk of experiencing some form of cyber-attack. Pandemic conditions have only served to fuel these attacks, as shown by the data below.
of 5400 IT decision makers' organizations across 30 countries have experienced a ransomware attack
Source: State of Ransomware 2021 (Sophos)
ransom paid by CNA Financial Corp. in March 2021 to gain control of its network following an attack
Source: Bloomberg - CNA Financial Paid Hackers $40 Million in Ransom After March Cyberattack
average ransom paid by mid-sized organization
Source: State of Ransomware 2021 (Sophos)
increase in malicious email activity during Covid-19 crisis
Source: ABCNews - The Latest: UN warns cybercrime on rise during pandemic
Government and financial services sectors have been particularly targeted, experiencing a significant increase in the volume and severity of attacks.
Ransomware attacks have caused healthcare providers over $157M in losses since 2016
Source: HIPAA Journal - Ransomware Attacks Have Cost the Healthcare Industry at Least $157 Million Since 2016
520% increase in phishing and ransomware attempts between March-June 2020
Source: American Banker - 5 ransomware trends that should alarm banks
Second most-attacked industry in 2020 and received 17.7% of all attacks
Source: Security Intelligence -Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing and Energy
In 2020, 33% of attacks on governmental bodies were ransomware
Source: Security Intelligence -Threat Actors’ Most Targeted Industries in 2020: Finance, Manufacturing and Energy
Understanding the Landscape of Cyber Threats and Attacks
Stout research, based on our experience working with clients across a variety of industries, points to four most common types of attacks.
- Phishing Schemes - Attackers gain access to sensitive information or deploy malicious software on victim’s computer using social engineering.
- Malware - Attackers are able to access and inject malicious code onto a victim’s computer. The malicious software can be utilized to initiate additional attacks such as ransomware.
- Denial of Service - Attackers overload a computer system with superfluous requests and prevent legitimate requests from being fulfilled.
- Ransomware - Attackers gain access to sensitive user or company data and demand ransom in return.
Each of these types of attacks can result in significant material, regulatory, financial, and reputational damage. Careful planning and prevention strategies are critical to avoid occurrence and impact.
Prevention is Always Better Than A Cure
Given the scale and impact of potential cyber-attacks, companies should invest in attack prevention processes, and tools. At a minimum, companies should consider the following capabilities to reduce the occurrences:
- Security Governance Program - Implementation of enterprise-wide security governance to provide strategic oversight for alignment with Enterprise Risk Management objectives, implementation of processes, procedures, and tools to improve the security posture of the organization.
- Data Governance - Introduction of processes and procedures for effective organization, sensitivity categorization, reporting and protection of enterprise data.
- Identity and Access Management- Implementation of identity and access management framework to manage appropriate levels of access to company’s information technology resources.
- Password Validation - Introduce robust passwords and password validation requirements to increase the protection against an attack such as brute force, man-in the-middle etc.
- Multi-Factor Authentication - Implementation of multiple authentication methods prior to granting access to end-users.
- Intrusion Prevention and Detection - Implementation of systems for real-time analysis of network traffic and preventative and defensive actions upon identifying potential threats.
- IT Infrastructure Monitoring - Implementation of Security Information and Event Management (SIEM) for real-time monitoring and alerting of security incidents, monitoring access points, data logs, compliance, and audit reporting etc.
Cyber security is complex and continuously evolving. Based on our experience with multiple clients, IT and cyber risk assessment is a necessary first step to understand key risks, vulnerabilities, existing controls, and potential limitations within your security environment.
Working closely with an advisor will help you understand and assess your risks and implement the right level of cyber defenses will greatly enhance your business continuity and protect your reputation. Stout professionals have extensive experience in assisting clients with complex cyber security requirements. Below are specific case studies where Stout professionals assisted financial institutions and other organizations to improve the maturity of their cyber security environment.
Case Study #1
Challenge
The client needed to perform an objective assessment of their information technology and cyber risks and controls.
Stout's Approach
Utilized Stout’s IT and cyber risk and controls assessment framework to perform an independent testing of key information technology and cyber controls including governance, data protection, data privacy, malware protection, incident response, pandemic planning, and business resiliency.
Outcome
Assessment and test of key cyber risk mitigation controls led to critical enhancements of client’s data sensitivity classification and protection strategies across the data lifecycle and journey through various US and international systems and applications.
Case Study #2
Challenge
The client needed to perform an independent IT risk and controls assessment to assess preparedness to country existing and emerging cyber threats and vulnerabilities.
Stout's Approach
Utilized Stout’s IT and cyber risk and controls assessment methodology to perform in-depth review of design and effectiveness of key IT and cyber risks and controls including IT management, identity and access management, data privacy, ransomware controls, intrusion prevention and detection, security incident and event management (SIEM) reporting, DRP/BCP and pandemic planning.
Outcome
Assessment of critical IT and cyber risk management procedures and controls and creation risk dashboards to focus management attention on critical gaps and recommended control enhancements. Our engagement led to significant recommendations to strengthen controls such as access management, remote network monitoring and incident response and reporting.