Businesses slow to adopt even basic cyber security policies

Major enterprises are slow to adopt even basic cyber security policies despite risks and warnings, according to IT expert Julie Thorpe.

While cyber security experts are growing hoarse from telling businesses to wake up and realize leaks and IT infrastructure compromises are bleeding them billions of dollars, the looming threat isn’t savvy new hacking techniques – it’s just plain laziness, according to Hewlett-Packard’s latest Cyber Risk Report.

“Attackers continue to leverage well-known techniques to successfully compromise systems and networks,” says the study. “Many vulnerabilities exploited in 2014 took advantage of code written many years ago – some are even decades old [but] adversaries continue to leverage these classic avenues for attack.”

HP’s study found a startling 33% of compromises were through a backdoor in 2010 Microsoft Windows, while two Oracle Java exploits and an Adobe Acrobat Reader bug followed suit.

“The problem here is that businesses aren’t patching their systems,”

Julie Thorpe, an IT security expert and professor at the University of Ontario Institute of Technology told The DealRoom.

Cyber attacks cost businesses around US$400 billion yearly according to insurance company Lloyd’s of London’s count. Last year the insurance industry made $2.5 billion off hacking policies held by enterprises.

Yet despite the costs, the basic steps to IT security are often overlooked. A big part of it, says Thorpe, is trying to avoid the downtime that comes with servers being updated.

“You have to schedule the down time, it’s just a simple matter of making sure you do it and prioritize it,” she says.

Everyone recognizes that human nature sometimes keeps us from prepping for the worst and it’s amplified in a business setting where any downtime could interrupt workflow but if the series of high profile leaks are any indication, the alternatives to downtime can be much more crippling.

“I think one thing that’s good about all of these leaks – I mean it’s terrible that it’s happening – but it’s going to help raise awareness that these kinds of things are a problem and that people do need to invest in security,” adds Thorpe.

Put policies in place

“At the end of the day people have to commit to making an effort and ensuring they have security and typically the way that is done is through security policies,” says Thorpe.

Although there’s no one-size-fits-all model, she recommends all businesses from small mom and pop shops to multinationals should have some sort of formalized series of processes to make sure IT security is kept on point.

With malware protection, automatic updates can easily be set and someone assigned the responsibility of ensuring patches are actually being managed.

Other elements to consider include having new employees sign a contract saying they will conform to security policies and use a strong password. Thorpe also recommends training to reinforce secure Internet use and best practices. If downtime is a concern, try updating the systems overnight or on the weekends.

It’s also worthwhile ensuring that secure channels are used when necessary and cyber security incidents are reported and responded to promptly

“Setting a policy is, for example, not like deciding ‘we’re going to buy this system’ its more like committing to review existing systems every three months and make sure they’re up to date,” says Thorpe adding that it’s not about having convoluted and complex policies so much is sticking to the basics. “It’s something every organization needs to have, that top down commitment to security.”

Andrew Seale

Andrew Seale is a Toronto-based business writer who contributes frequently to Yahoo Canada Finance, The Globe and Mail's Report on Business and The Toronto Star.