The real reasons why firms suffer disastrous cyber breaches

Want to know the real reasons why firms suffer disastrous cyber breaches? No, it’s not just about your firm’s use of technology.

We’re providing a high-level summary of the underlying mistakes which, in our experience at Mitigo, allow cyber attacks to succeed.

1. Getting the wrong people to advise and audit

In almost all of the cases we investigate following a cyber breach, the victim firms were relying on their IT or technology managed service provider (MSP) to look after their cyber security without understanding that cyber risk management is a separate and dedicated specialist discipline.

Cyber security requires, among other things, real expertise in carrying out cyber risk assessments, which goes well beyond evaluating technology risks.

It encompasses an understanding of the risks attached to people and governance.

It’s also about having an acute awareness of the current methods of attack in your sector – and how to defend against them.

You need real expertise in operational resilience, as well as knowledge of your legal and regulatory responsibilities.

Crucially, your cyber security advisers should be independent of your IT team or MSP. Having people ‘mark their own homework’ is a nonstarter from an assurance or compliance perspective.

Your advisors should also be impartial, and they should not be selling you any security technology. This would give them a conflicting financial interest in their recommendations.

There are other reasons to separate your cyber risk management advisor from your supply chain.

Your dependency on one company for too many things may already be one of your cyber or operational resilience risks. How can you possibly get proper advice and oversight of your supply chain from an organisation that sits in a critical position within it?

Bear in mind that MSPs are also being targeted by attackers. If you or they suffer a breach, you definitely don’t want them to be the people you are relying on for advice and help to recover from it.

And it goes without saying that failing to carry out regular cyber risk audits is not just a breach of legal and regulatory requirements.

It also means the firm has no assurance that it is identifying and effectively controlling its cyber risks – leaving itself wide open to cyber attacks.

2. Thinking that security is all about tech

It is not. Security configuration of technology is vital, but so much more is needed.

Security involves a many-layered combination of defences.

Most cyber breaches start with human error: someone clicking something they shouldn’t, or bypassing tech protections by giving away security credentials.

The combination of artificial intelligence (AI), social engineering and the use of native English-speaking affiliates is resulting in more successful attacks from phishing and voice phishing (vishing).

Staff need to be trained to spot attacks. Running simulated attacks will then test that the training is working. You need to have a culture where staff are not afraid to speak up if they think they may have made an error which jeopardises security.

Good governance is also essential. You must have the right policies and procedures in place for your business and the way you work.

Governance arrangements must include a process for regularly testing, assessing and evaluating the effectiveness of your cyber control measures, and reporting the outcomes to all relevant stakeholders.

3. Incorrect or inadequate allocation of resources

We believe cyber threats should be at the top of every organisation’s risk register, with at least the same prominence as any financial or legal risk. But many are not taking cyber security seriously enough.

Of course, staying secure has financial implications – but it is now a cost of doing and staying in business. We have seen first-hand the consequences of failing properly to address risk because it seemed expensive to do so.

It’s not all about money. Breaches occur where the firm has not treated security as a senior leadership concern.

As the government’s Cyber Governance Code of Practice emphasises, cyber risk management is a board level matter.

Anyone in doubt over the need for senior management oversight should read about the data breach at construction company Interserve, which resulted in a £4.4m fine from the Information Commissioner's Office (ICO).

Both executive and non-executive board members and partners are responsible for the security and operational resilience of their organisations.

They must own and make themselves aware of this risk. It should be discussed at board meetings using proper management information.

They should also obtain, on an ongoing basis, independent assurance that their cyber controls are in place and working effectively, because business-critical information must be reliable.

4. The fatal combination of complacency and misconception

We see many incorrect assumptions and misconceptions about cybersecurity.

Some people think that their organisation is too small to be attacked and don’t understand that criminals usually target vulnerabilities rather than specific firms.

Once they are ‘in’, they will investigate the scope for stealing data, encrypting systems, diverting payments, moving up and down supply chains and so on.

Others may not be aware of the criminal ecosystem and underestimate the strength of their foe.

These are serious, well-organised (albeit illegal) criminal enterprises, looking to make serious money. Stealers obtain confidential credentials and act as lead generators for access brokers who assess potential and sell leads on.

Affiliates buy ransomware as a service (RaaS) tools, which have been developed by sophisticated gangs based in overseas jurisdictions.

The gangs are experienced and skilled in developing products, hosting leak sites, assessing the ransom value of stolen data and business downtime, and managing ransom negotiations.

Some businesses are persuaded by technology vendors that cloud services keep them safe. In reality, they merely change the nature of risk. In many cases, their risk may actually increase.

They may also ignore supply chain risks by failing to consider how a service supplier’s breach might affect them.

It’s crucial to consider the extent of data sharing or integrations, critical supplier dependencies, fallback plans and the need for supplier due diligence.

Some organisations don’t investigate minor breaches or ‘near misses’ to understand the root cause of them. But that can be fatal, because often they are a forerunner to far more serious breaches.

Others believe that having certifications such as Cyber Essentials (CE) or Cyber Essentials Plus (an audited version of CE) alone prove that you are secure.

They do not. They can be a good starter and a useful badge for satisfying supply chain requirements. But CE only covers a number of technical controls, which are necessary but nowhere near sufficient to provide proper protection or legal compliance.

Finally, it’s a mistake to think that cyber insurance offers adequate protection in the event of a serious breach.

It does not. Insurance is not a substitute for cyber management – it is the transfer of residual risk once you have taken steps to manage your cybersecurity.

Insurance may cover some financial costs, but it will never repair all the damage to your business, its reputation, its client relationships, your sleepless nights or all of your business’s financial losses.

Why it’s so important to get it right

Businesses work long and hard to create value for themselves, their partners and shareholders. It can be soul destroying to see that value destroyed by one cyber incident.

If any part of this article has struck a chord with you, consider reaching out to someone who truly understands how to support your journey. It might just be one of the smartest business moves you make.