Why now is the time to act on Cyber Threats!
by Paul Lloyd-Smith, Governance Risk & Compliance Specialist, SAP UKI
Following recent media coverage in the national newspapers, on radio and television, the general awareness of the impact of cybercrime is certainly on the increase. However the ability for organisations to effectively monitor and mitigate this method of attack is still catching up. Organisations are struggling with the amount of attacks both from external and internal sources. One quote I recently read spoke of cybercrime “having the ability to bring an organisation to its knees”, this is going to be a rarity, I hope, but in concept this is certainly possible.
Another quote which is a favourite of our VP, Centre of Excellence for GRC EMEA, Chris Johnston is:
“The Connectivity of all things:
- Law 1: Everything that is connected to the internet can be hacked
- Law 2: Everything is being connected to the internet
- Law 3: Everything else follows from the first two laws”
*Rod Beckstrom (author, ex-president of ICANN and National Cyber Security Center)
For a number of years now I have worked closely with organisations from around the world to enable testing for more traditional instances of fraud, both from internal staff and also 3rd Parties. Gradually over this time the link between these traditional methods of avoiding internal controls has become linked to cybercrime.
We see instances of CEO fraud, where an email address and other information from an influential person within an organisation is used to intimidate staff into signing off on transactions that they would usually require sign off for, thus avoiding internal controls. In some instances it is an employee of the organisation who sees a weakness in an internal control and exploits this for their own benefit. They can then use a third party to act on their behalf to force the payment to be made whilst they stay unaffected.
The UK Government released a report on the impact on cybercrime a couple of years ago now and within this report they suggested that the cost to the UK of cyber-attacks was £27billion. A significant proportion (£9.2Billion) of this coming from loss of organisations IP. Although the General Public and the Government were impacted by cybercrime the main loser was the UK business sector with £21billion being lost.
The Governments FTSE350 Health Check report, published in January 2015 indicated that still only 30% of boards receive regular cyber security intelligence briefing from their CIO or Head of Security. Only 24% of companies based their cyber risk discussion on robust management information. However, over 50% of respondents indicated that incidents of cyber-attacks had increased since the previous year.
This latest report can be found at here.
When SAP looked into the market to understand where an investment could be made to assist with cyber threats, it quickly became apparent that the best choice was to develop a solution internally. This SAP solution monitors the application layer, unlike many other systems on the market. This enables the security officer to be alerted to quickly understand and identify where attacks are occurring whether they be from an internal or external source. I personally was shocked to understand that between 60-70% of all data threats are actually internal rather than external and that on average it takes between 12-18 months for these sort of attacks to be identified and shut down.
This is my first blog of many to come and I wanted to highlight the fact that here at SAP we have solutions to enable organisations not only to monitor and remediate traditional instances of Fraud, whether than be through misappropriation of T&E, illegal activity within the purchase to pay cycle or elsewhere but also solutions to enable the identification and mitigation of Cyber Attacks.
Should you require any further information or if you would like to discuss your own approach to Cyber Crime please do contact me on the email below.
Paul Lloyd-Smith, Governance Risk & Compliance Specialist, SAP UKI