As a director of a public company you will no doubt be aware of the increasing threat of cyber-crime to companies you oversee. What is their risk profile from a Cyber Security perspective? Don’t know? You are not alone.
Your governance and fiduciary responsibilities lead you to have continual oversight of many aspects of your businesses, including financial performance and controls, market opportunity, people and processes – to name just a few. But how aware are you of their cyber security posture?
It may seem less important than those other attributes but in today’s distributed working environment, there is an increasing likelihood that your company may be subjected to a cyber attack and suffer serious operational and financial consequences as a result.
Understanding and mitigating the risks deriving from the cyber sector should increasingly be a significant consideration of all company boards – particularly those that are publicly listed.
What kind of consequences? It varies, but could include: the theft of intellectual property; fines for lack of adequate data protection; being held to ransom for significant amounts; brand destruction; customer erosion; fraudulent payments.
For publicly listed companies, in particular, the responsibility of the board of Directors to protect the value of the businesses for all stakeholders is particularly acute and many Directors are unaware of the real vulnerability of their companies to cyber threat.
Many of today’s businesses have outsourced their IT to a third party, often a Managed Service Provider (MSP). They may have assured you that you are safe and secure through their own security posture and that may be the case – but unlikely. Few MSPs ask for Penetration Testing of their own networks and systems. Even fewer are benefitting from 24×7 monitoring of cyber threats.
Even the biggest firms are vulnerable – take the very public examples over recent times including Easyjet, Carphone Warehouse, BA and Travelex, to name just a few. A quick look at the impact of a breach on publicly quoted companies who suffered a breach showed a fall in enterprise value of 20-33% on average in the aftermath of the announcement.
But it isn’t just the big firms that are at risk. Small and mid-market companies are equally interesting to attackers and often because they are the least protected. Let’s take the following (anonymous) example.
AIM listed business with a strong commercial performance. Highly acquisitive. Strong financial fundamentals. Operates multiple brands and makes use of 3rd party IT services providers. The perception of the executive team to their cyber vulnerability was that ‘all is well’ due to the perceived protection afforded by their MSP.
What We Did
Falanx Cyber was asked to conduct an audit and penetration test of the company from a cyber security / threat perspective. The report surprised them.
What We Found
We identified multiple vulnerabilities (16 in total) with a range of severities to the point where it was clear that if a threat actor decided to target them it wouldn’t take long to break in and but it was very clear that the following were possible actions:
- Defacement of member company websites, causing embarrassment and damage to brand and reputation.
- Cyber attacks conducted on their clients when they visit their websites, causing further loss of brand, trust and reputation.
- Hackers gaining access to their intellectual property, HR records, client records and other sensitive data.
- Potential financial loss through compromised email accounts being used to authorise money transfers.
- Financial loss through fines from the ICO after reporting a data breach.
- Financial loss through their network being breached and encrypted with ransomware.
- What was even more surprising to them were the simple recommendations to secure their estate and the affordability of it. Relative to the risk of a breach it was a simple decision. One that all companies should be adopting in today’s Cyber climate.
Fix the identified immediate vulnerabilities through upgrades to software, etc.
Social engineering tests, such as phishing and physical intrusion, should be conducted to test the human element of security.
Annual penetration tests of the infrastructure and websites.
Penetration tests of the internal network infrastructure.
Deploy Managed Detection and Response (MDR) to ensure eyes are looking for future breaches and pre-existing threat actors.
Thankfully, this client is now protected and actively defending itself in real time, minimising the risk of a breach and providing the directors comfort that they have afforded as much protection to their shareholders as is possible in today’s enhanced cyber-risk environment.
Make use of Falanx Cyber’s security solutions to protect you and your portfolio companies from cyber threats.
Ask the companies you direct to permit an audit of their IT estate and we will let them know how protected they are, what they may need to do to defend themselves better and what we can do to help, should they so desire.