Companies spend millions on security software; meanwhile hackers are still on the winning side of the fight. Often, entrepreneurs don’t realize what they should be protecting and how to go about it. WBJ talked to Michał Kurek, director at the IT Risk Management Department of EY, about the most common cyber threats and the mistakes companies make
INTERVIEW BY BEATA SOCHA
WBJ: EY’s latest cybersecurity report indicates that companies in Poland are aware of the risks and are trying to invest in increasingly advanced security features against hackers. Who is winning in this “arms race”?
Michał Kurek: Unfortunately, I won’t hesitate in saying it’s the hackers. As much as 57 percent of organizations admitted to having experienced a significant security incident over the past year. Companies are aware of the unfair fight they are in. Although most of them (53 percent) increased their spending on cybersecurity, as much as 86 percent admit their current security measures are insufficient. Given the scale and the complexity of today’s cyber threats, it seems that the situation won’t be changing any time soon.
What threats are considered the most dangerous for a company?
The respondents of our survey point to two main sources of threats: malware (52 percent) and phishing (51 percent) – that is tricking people into disclosing their personal data by means of spoofed emails. The largest percentage of companies (55 percent) stated that employees unaware of cyberthreats are the weakest link in the security of global organizations. The latest wave of attacks where hackers claimed to be the president of companies shows that these statistics are not far from the disconcerting reality.
What do hackers stand to gain through such attacks?
The main goal of cyberattacks is financial gain. It could be through stealing money from bank accounts or by tricking people into making bank transfers (45 percent of respondents), as well as by stealing intellectual property or other valuable data (42 percent of companies). Hackers also make millions these days by collecting ransoms from companies attacked by malware that encodes their data and effectively blocks the company’s access to it.
What type of losses (loss of data, denying user access, bad PR) can hurt companies the most?
That depends on what the company does. That’s why it is so important that companies understand what their assets are and keep in mind how much they’re worth when designing a security system. It can be a surprisingly difficult task. After all, how do you measure the cost of damage to a firm’s reputation, which takes years to build and only seconds to ruin?
How are companies trying to protect themselves from cyber threats?
Companies are aware of the fact that they cannot be fully immune to hackers’ attacks. What they need is to implement effective processes of detecting cyberattacks and responding to them. Our study shows that there is still a lot to be done in both areas: 44 percent of companies don’t have dedicated teams for monitoring security and 42 percent have not prepared a communication strategy in case of a successful attack.
What mistakes do entrepreneurs make in the area of cybersecurity?
The biggest mistake is seeing security as the sum of money spent on it, and not how the funds are put to use. Consequently, companies keep buying new security solutions without backing them up with appropriate processes. That’s why it is important to invest in people in the first place. Tools should only be employed for support.