IFE ADEDAPO writes on ways to strengthen cybersecurity
The Central Bank of Nigeria estimates that about N40bn has been lost by Nigerian banks to cybercrimes in recent times.
Organisations and prominent individuals are also victims of the tactics of fraudsters online while these activities cost businesses huge sums of money and affect their overall performance.
According to experts, the fight against cybercrime globally can only be made possible if a robust information security policy framework exists.
But as the frequency and costs of security incidents continue to rise, a survey by PricewaterhouseCoopers found that many organisations have not updated critical information security processes, technologies, and employee training needed to combat cybercrimes.
The report titled, 'The global state of information security,' states that in some cases, it appears that information security programmes have weakened due to inadequate investments in it.
It adds that the financial costs of investigating and mitigating online financial crime incidents grow year over year.
The report notes that the total number of security incidents detected by respondents rose to 42.8 million in 2014, an increase of 48 per cent from 2013.
Taking a longer view, the survey data shows the compound annual growth rate of detected security incidents has increased 66 per cent year over year since 2009.
According to the survey, these numbers are by no means definitive, however; they represent only the total incidents detected and reported.
"It is important to note that many organisations are unaware of attacks, while others do not report detected incidents for strategic reasons or because the attack is being investigated as a matter of national security," it says.
Employees, third parties are insider threats
The report notes that former and existing employees in organisations play active role in the breach of information security.
It adds, "Compromises by insiders - current and former employees, as well as third parties with trusted network access - continue to rise, but many organisations have not implemented processes and technologies to address internal incidents.
"No matter how secure an organisation's network and data, it will be open to compromise if third parties do not employ equivalent security and privacy safeguards. Another worrisome finding is a diminished commitment to employee training and awareness programmes."
According to PwC, employees are not the only culprits but third parties, who have been given access to Internet networks and data such as current and former service providers, consultants, and contractors, are perpetrators.
"When organisations overlook the threats residing inside their ecosystems, the effects can be devastating. Yet many companies do not have an insider-threat programme in place, and are therefore not prepared to prevent, detect, and respond to internal threats," the report notes.
Financial cost of security breaches on the rise
The annual financial costs of investigating and mitigating security incidents increased substantially this year, particularly among large organisations. It's also worth noting that the number of respondents reporting losses of $20m or more almost doubled over 2013.
PwC observes that the compromises often extend beyond Information Technology to other areas of the business, but will also include other areas such as breach of customer trust and operational disruptions.
The survey reveals that small organisations are not spending on security. It adds that companies with revenues less than $10m reduced security investments by 20 per cent over 2013.
It adds, "Information security spending is not keeping pace with increases in the frequency and costs of security incidents, despite elevated concerns about cyber risks. PWC's survey reports that investments in information security budgets declined four per cent over 2013.
"Medium-size organisations (with revenues of $100m to $1bn) and large companies (with revenues greater than $1bn) report a modest five per cent increase in security spending."
Conduct due diligence of third parties
The report advises organisations to implement the necessary processes and technologies to prevent, protect, detect, and respond to elevated threats.
Among prevention and protection safeguards, areas to consider strengthening are due diligence of third-party providers, employee security awareness and training programmes, and technologies such as patch-management tools, intrusion-prevention tools, and privileged user access, it says.
According to the survey, it is worrisome that implementation of these key safeguards has declined over 2013.
Collaborating to improve security
Organisations are beginning to understand the strategic value of external collaboration to improve security and threat intelligence, the report explains.
It notes that 55 per cent of respondents say they collaborate with others to improve security in 2014.
"Larger companies, which often have more mature security programmes, are more likely to collaborate than smaller organisations," it adds.
According to the PWC's survey, security executives say collaboration with entities like information sharing and analysis centres, industry associations, and government agencies can be a very valuable risk-awareness tool.
Exploring mobile service security
The survey reveals that the respondents also are taking steps to improve mobile-device security programmes.
According to the survey, this is because more than half (54 per cent) of respondents say they have implemented a mobile security strategy, and 47 per cent say they employ mobile-device management or mobile-application management solutions.
The use of cyber insurance
According to the experts, the adoption of cyber insurance as a tool to help manage security risks continues to rise.
The report says that more than half of respondents say they have purchased cyber security insurance. And among those that have done so, many are taking steps to enhance their security posture in order to lower their insurance premium.