Security expert Asam Malik says companies are more likely to suffer a cyber attack than a fire or flood – yet take the threat less seriously.
Malik is head of IT risk assurance at professional services firm PwC. His team carries out ‘ethical hacking’ on clients to highlight weaknesses in their defences.
Speaking at a seminar on the subject held by PwC and Lockton Solicitors, he called on organisations to improve sponsorship of cyber security at executive level.
“In many organisations there will be an information security manager but we don’t see that profile at a more senior exec or board level,” he told BusinessCloud in an interview following the event.
“What’s happening is that cyber security is seen as an operation risk and not really a large-scale business risk.
“That means it doesn’t have the profile behind it and therefore the investment and resources that it needs because there’s no one shouting about it at a senior level.
“We need to get behind this because it could be a significant risk to our organisations.
“Most boards that we see don’t have the skills or experience to have that understanding. The ones who get it, and are doing it, are those who have suffered a breach.”
The impact of a breach on a company’s image can be fatal, says @pwc #CyberSecurity director @Asamjmalik pic.twitter.com/N80XB3joFl
— BusinessCloudEvents (@BCloudEvents) March 15, 2017
During the seminar at PwC’s offices at Barbirolli Square in Manchester, Malik said it is infinitely easier to hack into a company’s systems when plugged into a desktop computer.
In one ‘social engineering’ attack PwC carried out for a client, men in high-vis jackets tricked their way into the building then spent three hours on a computer in the middle of an office while employees made them cups of coffee.
Straw poll of the @PwC_UK @LocktonUK seminar finds 10% of companies present discuss #CyberSecurity at exec level pic.twitter.com/9lDI7bPRdx
— BusinessCloudEvents (@BCloudEvents) March 15, 2017
Phishing attacks, the emailing of malicious links which hope to trick employees into downloading malware by disguising them as something else, are also becoming more sophisticated. Criminals are leveraging information from social media and using fake email addresses which closely mirror the real email address conventions to make these cons more believable.
One third of employees at a firm which PwC worked with clicked on a ‘malicious’ link promising them a 25 per cent discount on Apple products.
“We also worked with a football club and hacked into their pitch watering system, which means we could have flooded the pitch,” Malik said.
PwC’s Peter White and Peter Erceg and Brett Warburton Smith of Lockton also spoke at the event, which was chaired by Lockton partner Matt Davies.