Getting hacked is not something you expect to happen to your business or organisation - until it does. Don’t believe me? Just ask Bangladesh Bank, the victim of a cyber-attack last year, which resulted in the theft of $81,000,000. Or even better - ask Hillary Clinton’s campaign manager, who had his private email conversations with the presidential candidate laid bare to the world only weeks before the election.
If 2016 served to do anything positive, it was to show the public the power and potential of cyber-crime and the impacts it can have not only on a company, but on society. For many, it was a moment of realisation that no organisation is completely immune from this threat. Where cyber-security was once just an issue that our IT departments dealt with, it is now one of the greatest areas of risk that a business can face.
However, despite the prominence of cyber-security threats, many businesses are still failing to take preventative action against security breaches. According to the Cisco Annual Cyber security Report, the UK has “the lowest level of security maturity worldwide.” That’s not only embarrassing, but worrying.
It seems that on a whole, we have reached a stage at which technology advancements are accelerating faster than our ability to adapt to the change. Sure, most of us know how to use smartphones and what social media is for (excluding that annoying friend who keeps sending me Candy Crush requests: I don’t want to play, this is your final warning). On the other hand, most of us are critically underprepared for a potential cyber-attack.
In our recent blog on the EU GDPR, we discussed the importance of data protection in the face of the upcoming change to legislation. However, complying with regulations shouldn’t be the only driving force behind improving your company’s security profile. As the threat landscape shifts and cyber-criminals grow in sophistication, it’s time for UK businesses to rethink their security strategy.
The Cyber Threat to Businesses
The digitalisation of business processes has revolutionised how we operate as a society.
Increased efficiency, reduced costs, seamless access to data and a surge in productivity are just some of the benefits that businesses have enjoyed as a result. However, by developing smart technology to make our lives easier and simplify processes, we have inadvertently made it easier for individuals or groups to gain access to our networks and do their worst. As technology continues to evolve at such speed, so too do the capabilities of cyber-criminals. We find ourselves in a cyber arms race, out-paced and unprepared.
We now live in a time in which serious threats to our business could be missed in the blink of an eye: perhaps its a request from “Google” which you accept without hesitation, an email with a “Microsoft Word” attachment that you open unwittingly or even a button prompting you to update your operating system. They all seem innocent - that is, until you’re in a board meeting trying to explain how a hacker infiltrated the network and got hold of sensitive information.
The answer is rarely simple, and in most cases, there isn’t just one. Perhaps it’s a combination of outdated security controls and lack of user awareness. Perhaps employees are too careless when it comes to data and the malware was well disguised. Now more than ever, businesses must understand that where there is a weakness, there is the potential to exploit it.
Last year, the average cost of data breaches to large UK organisations fell between £600,000 and £1.2 billion. In fact, one third of organisations that experienced a breach reported substantial customer, opportunity and revenue loss of more than 20%.
So why aren’t businesses doing more to protect themselves?
In most cases, SME’s cite budget constraints as the leading cause for their poor level of cyber security. Arguably, it’s almost always a lack of awareness. For instance, if you knew a burglar could easily unlock your front door, you would spend money on improving the lock - not on painting the door a nice shade of sky blue.
If you knew the impact that a cyber-attack could have on your company, your reputation and your finances, you may consider increasing the spend to ensure your data and sensitive information were not at risk.
Cyber Attacks of 2016
According to the National Crime Agency, cyber attacks had a global impact of $400 billion in 2016, and while this figure is alarming, it isn’t that surprising once you begin to look back on the year and consider the damage done.
In terms of cyber-security, 2016 was a year of firsts - but not exactly ‘good’ firsts like your first bike ride or your first kiss. These firsts were incidents that made you spit out your sip of coffee like a cartoon and say “wait, what?!”
The first actually occurred in December 2015, in the Ivano-Frankivsk area of Western Ukraine. Citizens were just minding their own business - watching TV, heating something up in the microwave, browsing the web, listening to music - when a group of cyber-attackers gained access to the networks of three major Ukrainian energy distributors, causing electricity outages for over 225,000 customers.
This was the first confirmed case of cyber-enabled disruption to electricity supply on a regional scale - and if that wasn’t bad enough, the attackers went on to launch a telephone DoS attack to delay customers from reporting the outages to their providers.
2016 also saw the first recorded attempt to use cyber to influence the democratic process in the US. It began in June, when it was reported that the networks of the Democratic National Committee (DNC) had been compromised. What happened next was unprecedented.
WikiLeaks - whose official motto is “we open governments” - leaked thousands of emails and attachments, publishing them online for the world to see. Then, in August, The Democratic Congressional Campaign Committee faced a cyber-attack that resulted in sensitive documents on congressional races across a dozen states being released to the public.
But it didn’t stop there. Two months later, only weeks before “#Decision2016” (yes, it still makes me cringe) WikiLeaks published a new wave of hacked emails - this time, from the account of John Podesta - the chairman of the Clinton campaign. The contents of these emails ranged from harmless to eye opening and down-right damning, and each new day brought a whole new batch for the public to examine.
Cybersecurity researchers and the US government attributed responsibility to Fancy Bear, a hacking group affiliated with Russian intelligence service who were passing the information directly to WikiLeaks to share with the public. While Donald Trump insists that Russian interference had no effect on the outcome of the election, the significant reputational damage caused by this cyber-campaign is undeniable. Whether or not the publication of these emails had an impact on the American people’s decision, it certainly provided Trump with the ammunition he needed against the opposition at exactly the right time.
So, how did a group of Russian hackers gain access to 60,000 top-secret emails belonging to a presidential campaign manager? This is the beauty of the cyber-attack: it doesn’t take an idiot to fall for one tiny, well-crafted and convincing fake email, just a minor lapse in judgement. Sure, you may not fall for the email that introduces a Nigerian prince and the apparent inheritance he wants to share with you – but sophisticated cyber-attacks are never this blatant.
When John Podesta received the email in March 2017 prompting him to update his Gmail password, he assumed he was clicking through to increase the security of his account. In fact, he had just done the exact opposite.
What can businesses do?
While the UK government has vowed to increase their efforts in tackling cyber-crime to improve our overall “security maturity” level, this alone is not enough. Businesses across the country should consider implementing changes to the culture and behaviour of their organisations in regards to security to reduce vulnerabilities and prevent crime. While there is no ‘one-size-fits-all’ solution to preventing cyber-attacks, there are a few steps you can take to reduce the threat-level:
- Promote Awareness
Cyber-security should be something that staff at every level of the business should be concerned about, so producing strong user security policies which clearly explain the acceptable use of your systems is imperative in reducing your company’s cyber vulnerability.
- Protect your network
If you’ve been holding off from updating your security controls, now might be a good time to reconsider. It may also be a good idea to obtain adequate cover in the form of cyber-insurance – not as a substitute for good cyber security practices, but to aid your overall risk management.
- Test your incident management plans
When the EU GDPR comes into force in May 2018, companies will have 72 hours in which to report a breach of security. Therefore, having a robust incident response plan in place is essential, and providing specialist training to your staff on these practices may be necessary.
How can 360 Business Law help you?
No matter how successful your business is, a poor cyber-security strategy can leave you open to opportunistic cyber-criminals looking for an easy target. As reports of high-profile cyber attacks continue to make the headlines on a regular basis, one thing becomes absolutely clear: nearly every company is at cyber risk. The time to take action is now, and our specialist business lawyers are here to help.
Every day, our expert team delivers tailored advice to businesses across a broad range of industries on data protection, privacy laws and improving their overall security profile.
With extensive experience in internet and technology law, you can rely on 360 Business Law to help devise a robust security strategy and keep you compliant with the relevant regulations - all at a fraction of the cost of a traditional law firm.
For specialist legal advice on how to mitigate and manage the cyber threat to your business, get in touch with one of our business lawyers today on 01276 804432 to make an appointment.