A recent ethical hacking exercise targeting middle market companies has found serious deficiencies in the cyber defences of all the companies tested – troubling news given the recent high-profile ransomware attack on businesses and public services worldwide.
The hacking simulation, which was carried out by consulting firm RSM with the permission of the organisations involved, revealed significant weaknesses in the strength of the businesses’ internal controls. In one instance, RSM sent more than 200 spoof emails asking employees to validate their staff login. Within minutes, 16 percent of employees had followed the instructions and clicked on the link and by the end of the day this had climbed to 35 percent.
The findings are backed up by the results of a new RSM survey which has revealed that 40 percent of organisations admit they have been a victim of cybercrime, with over a quarter saying they have been hit in the past 12 months.
Worryingly, despite the high level of incidents, one in five firms that have suffered breaches have since done nothing to protect themselves against future attacks.
The survey also pointed to significant complacency with respect to data held with third parties. More than 60 percent of respondents said they outsourced data hosting or handling to a third party, but over half of said they were not aware of the third party’s cybersecurity policies.
Steve Snaith, a technology risk assurance partner at RSM, said: “The events of the last few days have shown just how disruptive a cyber-attack can be and how important effective defences are. However, our recent ethical hacking exercise has revealed some startling weaknesses in the defences of sizeable middle market companies that you would expect to be better prepared to withstand an attack. If we had been carrying out a genuine hacking attempt with malicious content, the business ramifications could have been catastrophic”.
Sheila Pancholi, a technology risk assurance partner at RSM, said: “Our survey has shed light on the ignorance and at times wilful complacency among some businesses with respect to the threat from cybercrime. Hackers are becoming increasingly savvy about organisations’ specific vulnerabilities, and can seek to exploit these weaknesses with targeted methods such as whaling or phishing.
“A successful cyber-attack can lead to operational disruption, financial loss and reputational damage, so organisations must do more to plug their knowledge gap to protect their customers, employees and their future business.
“Protecting customer data is also becoming increasingly important. New data protection rules which come into force in May 2018 will significantly increase penalties for data breaches. Failure to comply with the new General Data Protection Regulation, known as GDPR, could result in fines of up to €20m or 4 percent of annual global turnover”.