Why Cyber Security is a Strategic Imperative, Not a Soundbite
In 2017, cyber criminals launched more online attacks against UK businesses than ever before. According to the National Crime Agency, “UK business faces a cyber threat which is growing in scale and complexity. Organisations that don’t take cyber security extremely seriously in the next year risk serious financial and reputational consequences.” In the remainder of this article, we look at the rise of cyber crime, insider threats and the costs to business. We also discuss the strategic value of cyber security, benefits of data protection and the UK Government’s Cyber Essentials scheme.
According to America’s Federal Bureau of Investigation (FBI), ransomware payments tipped one billion dollars in 2016. The infamous WannaCry ransomware attack of 2017 caused global panic. It infected more than 300,000 computers across 150 countries and disrupted the UK’s National Health Service (NHS), international freight shipper FedEx and global media company WPP. It’s estimated there will be a ransomware attack against business every 14 seconds by 2020. Unfortunately, for many organisations deciding to pay or not pay the ransom is just the start of their problems.
Although a billion dollars in ransom payments is a lot of money, it obscures the many other dangers associated with malware attacks. You might never recover the hijacked data. There’s lost productivity from the unexpected downtime. You might need to bring in IT or cyber security specialists to recover your systems and conduct a forensic investigation. At the same time, you’ve got a PR nightmare to handle. Reputational damage can sink your share price faster than a Greenland iceberg and send your customers rushing for the lifeboats. In light of the investigation, you might need to beef-up your security and spend extra money on awareness training for your staff. Finally, just when you thought it was safe to go back into the water, you’re hit with a massive fine by the regulator for not meeting your data compliance obligations.
The thought that your organisation might be the target of malware, criminal gangs or malicious state actors is enough to keep you up at night. However, the most common threats to your data security come from closer to home. In fact, between January and March of 2018, the Information Commissioner’s Office (ICO) reported the main cause of data breaches were accidental. People make mistakes. We send data to the wrong recipients, we leave confidential files on trains, and people walk off with the wrong documents from the office printer.
Disgruntled employees have been behind some of the world’s most famous data breaches. Recently, UK supermarket chain Morrisons found themselves the target of a rogue employee. Andrew Skelton, a senior IT auditor, posted employee payroll information on a social sharing site. It seems Skelton held a grudge against the company over a disciplinary incident. Current and former Morrisons’ staff then took the supermarket to court and won a landmark liability case against the firm.
Negligence and nerds
Almost a third of UK organisations have sacked an employee as a result of data breach negligence, according to new research from Shred-it’s Security Tracker report. However, nearly half the organisations surveyed failed to provide any kind of data security training. In a study by Censuswide, it seems that 18 to 24 year olds are by far the worst offenders when it comes to negligent behaviour around cyber security. Younger employees are believed to be more knowledgeable about the dark web (87%), underground hacking (79%) and crimeware. They are also more likely to use shadow IT services and share private corporate data on social media sites.
The average (mean) cost of a data breach has continued to climb in the UK, even when it does not result in any loss. For a small business the average cost is £3,100. This is much higher for medium (£16,100) and large businesses (£22,300).
Three days damage
As a marketing professional working in the IT industry, the subject of reputational risk is of particular interest. Certainly, a high profile data breach that makes headlines around the world is a corporate PR disaster. Share prices do indeed sink, and customers abandon ship. However, the panic, and the public interest in the story seldom lasts. In fact, the negative impact of a data breach on a company’s reputation only lasts about three days.
TalkTalk, the ultimate survivor?
Numerous big brand names have been the subject of data breaches recently including Dixons Carphone, Sony Entertainment, Uber, Pizza Hut, Yahoo, LinkedIn, FedEx, Target (a giant US supermarket), Equifax and Bupa. However, one firm, above all others, has seen its brand reputation dragged through the media mud. The TalkTalk Telecom Group plc suffered three data breaches in 2015. TalkTalk successfully bounced back after just three days from the negative media coverage of its first breach. However, the negative effects of the third breach, the one that eventually cost them a £400,000 fine from the regulator, lasted months.
What’s more, something like 60% of all the negative sentiment around the telecoms industry actually focused on TalkTalk. Nevertheless, they recovered. For those interested, Alva, a provider of reputational intelligence analytics, have written an in-depth study of the TalkTalk data breach 12 months on, which is worth a read. Perhaps a testament to their resilience rather than intelligence, TalkTalk was fined another £100,000 in 2017 for failing to protect customer data from rogue employees at their service desk in India. This year has seen the company’s stock value downgraded due to falling profitability and concerns over its balance sheet. Nonetheless, the share price has since rallied a little.
Customers abdicate responsibility
Naturally, a percentage of customers will abandon a firm following a cyber security incident or data breach. However, the picture is less clear-cut and more nuanced than you might expect. It seems that many consumers are happy to take risks with their personal data and online security, but are quick to blame businesses when things go wrong. In research, 66% of consumers said they would be unlikely to do business with an organisation that experienced a breach where their financial or sensitive information was stolen.
At the same time, more than half of consumers said they repeatedly used the same password across many online accounts including banking and financial services. Many online businesses provide additional security features such as two-factor authentication, but only 20% of consumers use them. Perversely, 70% of consumers believe the sole responsibility for their data lies firmly with the businesses, and 48% would take legal action against a firm who exposed their data. Only 30% of consumers accept that they have any personal responsibility for keeping their personal data safe.
Litigation & fines
Credit-reference agency Equifax is another company that seems to have bounced back from cyber-disaster. It discovered a major data breach in September 2017. An estimated 185 million accounts were compromised around the world. The data breach has already cost Equifax $439 million. Once the regulators impose their fines and various consumer groups have their day in court, the true costs of the breach could be in excess of $600 million. What’s more, the legal wrangling and associated costs can drag on for years. The company also had to spend millions upgrading its technology and security infrastructure. Nevertheless, it was still able to achieve better-than-expected financial results.
In May of this year, we saw new General Data Protection Regulations (GDPR) replace legislation like the Data Protection Act, 1998. One of the most striking features of GDPR is the power to issue fines up to €20 million or 4% of the breached organisation’s annual global turnover, whichever is greater. But, the supervisory authorities powers aren’t just limited to slapping big fines on organisations. The supervisory authority can investigate a company’s compliance practices and enforce changes if it doesn’t like what it finds. For the company under investigation, this will costs time, money and potentially disrupt how the business operates.
After the horse has bolted
A cyber attack or data breach can cast a long shadow. In the aftermath of an incident, you’ve got a forensic investigation, reporting and remedial actions. Your IT governance might need a review and overhaul. Your IT infrastructure and security systems might need an upgrade. Your staff might need security awareness training. Your entire organisation, and the way you operate, might need a rethink. Replacing hardware and software applications is one thing, but changing your corporate culture and peoples’ behaviours is another. Of course, the time, consequences and costs will be different for every organisation. The uncomfortable feeling of shutting the stable door after the horse has bolted will probably be the same for everyone.
A security state of mind
Every CEO and board member says that cyber security is a strategic imperative. It makes a nice soundbite but seldom translates into actions. That only happens once an organisation is staring down the double barrels of a massive fine and consumer class action post-breach. In reality, it’s not just the consumers who want to abdicate responsibility and stick their heads in the sand. Good cyber security is as much about your attitude and mind-set as it is about firewalls and intrusion detection systems (IDS). You’re not convinced?
When was the last time you walked up to an office printer and found an unclaimed document sitting in the tray? In fact, something like 7% of all documents sent to office printers are never claimed or simple vanish. Most unclaimed documents end up in the recycling bin, but some walk out the door. Those documents could be financial records, client lists, HR files and bank account details. That’s a data breach. The irony is that today’s multifunction printers come with an array of whizzy security features, but many organisations simply never use them.
Cyber security should be a strategic imperative for every organisation, not just a soundbite. Cyber security isn’t just an IT problem, to be locked down and forgotten. After all, there’s no such thing as 100% security. A balance has to be struck between risk, mitigation and reward. Rather than regard data security as an inconvenient chore, it should be “hard baked” into your organisations practices, procedures and products. The idea of ‘privacy by design’ is nothing new, but article 25 of GDPR now makes it a legal requirement.
The IoT threat
As businesses and consumers, we live in an Internet-connected world. The average UK household owns 10 ‘smart’ devices from thermostats and door locks to kitchen appliances and mobiles. In a rush to be first to market, many Internet of Things (IoT) manufacturers simply ignored security as a product feature. Subsequently, many of these so-called smart devices have become gateways for criminal activity. Security researchers at the DEF CON hacker conference revealed that 75% of Bluetooth smart locks could be easily compromised. Privacy concerns have been raised about Amazon and Google digital assistants after these devices were found eavesdropping on conversations.
The commercial property sector will deploy around 1.3 billion IoT sensors by 2020 for building management and environmental control purposes. These smart systems can drive down a building’s operating costs while improving life for the occupants. However, the more connected devices you deploy, the greater the potential attack surface. Gartner predicts that by 2020, in excess of 25% of all identified cyber attacks on businesses will involve the Internet of Things.
Back in March, the UK Government and National Cyber Security Centre (NCSC) produced a draft Code of Practice for consumer IoT devices. Aligned with GDPR principles of security by design, the Code of Practice includes no default passwords, the ability to store credentials securely and easily updatable software to mitigate threats. The UK Government hopes that the Code of Practice will encourage industry to incorporate more robust cyber security into the design of IoT devices and related services voluntarily.
The majority of cyber attacks exploit known vulnerabilities within systems and software. Most data breaches are accidental rather than malicious. A small or medium sized business will not be able to resist a determined cyber attack by a shadowy state actor, but it can protect itself from the most common threats. Launched in 2014, the UK Government’s Cyber Essentials scheme is a simple set of five security controls that cover secure configuration of IT systems, access controls and user privileges, firewalls and Internet gateways, malware protection and patch management.
Cyber Essentials certification has a number of business benefits. Firstly, it creates the perfect opportunity to conduct an audit of your IT systems, policies and procedures. You might discover that everyone is still using weak passwords, old routers are unpatched and vulnerable to attack, and former employees can access your systems because no one removed them from your Active Directory.
Cyber crime is opportunistic. Malware, social engineering attacks, hackers and malicious insiders succeed because they are able to exploit weaknesses in your policies, technologies and people. The same weaknesses in your systems also mean that breaches go undetected for months. Cyber Essentials won’t provide you with perfect, ironclad security. It will help protect you from the most common threats, and create a strong foundation on which to build.
Badge of honour
Having gained Cyber Essentials certification, you can display the badge on your website, social media, corporate literature and all other corporate communications. The Cyber Essentials badge is really a statement that you are serious about data security. This can help you retain the loyalty of existing customers and attract new business. In certain cases, you can only bid for UK Government contracts if your business is Cyber Essentials certified.
As data protection legislation is strengthened, Cyber Essentials certification is recognised by the ICO as an important step in meeting compliance obligations. Of course, depending on the nature of your business, type of data you hold and risks, you will need to do more than just Cyber Essentials to be GDPR compliant, for example.
Saving you time & money
Better cyber security can help you to harness the many benefits of mobile and home working. Home workers are consistently more productive and take fewer sick days than their office based counterparts, for example. Improved cyber security can mean lower insurance premiums, fewer business interruptions and unplanned downtime. Should the worst happen, it can reduce the fallout from a data breach, such as financial penalties, legal action and other regulatory sanctions. It can also help shorten the time it will take your business to recover following a breach.
A changed world
John Chambers, former CEO of Cisco Systems, once said: “There are two types of companies: those that have been hacked, and those who don't know they have been hacked.” We all live in a changed world, where cyber crime is an unfortunate, everyday reality. Therefore, we need to view cyber security as a strategic business issue, something that is everyone’s concern, not just a technology function.
As the frequency of cyber attacks and data breaches increases so their ability to grab the headlines will diminish. To some, cyber crime will become an inevitable consequence of doing business. Clearly, large organisations are best equipped to weather the storm, albeit at immense financial cost. However, smaller firms will struggle to meet the challenges of cyber crime and survive the outcomes. Surely, prevention is better than cure. Good cyber security offers numerous business benefits while ensuring the confidentiality, integrity and accessibility of your data.
Sources: computer business review, huntsmansecurity.com, cybersecurityventures.com, nbcnews.com, infosecurity-magazine.com, computerweekly.com, ico.org.uk, computing.co.uk, theguardian.com, information-age.com, 2.gemalto.com
Images courtesy of Pixabay.com and the Tactical Technology Collective on Flickr.com