Cyber-attacks can be costly, not least because they put companies’ reputations at risk
Every business holding large amounts of data is liable to cyber-attack. Whether the attacker is hacking for honour, profit or revenge, systems can be compromised and valuable information lost.
Analysts say data breaches are on the increase and consumer awareness of the issue is rising. According to the Ponemon Institute, a cyber-security thinktank, cybercrime incidents against US companies have increased by 40% in each of the past two years.
Data leaks put digital identities at risk, including everything from residential addresses, usernames and passwords, to social security numbers, birth dates, account numbers and other personal information. Money from a bank account can quickly disappear, which can result not only in personal losses but in reputational damage to the company or institution holding the account.
Suffer a breach and you could even lose up to a third of your customers, according to a new study by Javelin Strategy & Research, a business consultancy which surveyed more than 5,000 US adults on their views on data security and privacy.
“Post-breach, people often choose not to associate with companies [that were hit by the data breach], impacting revenue for multiple quarters, and in some cases driving them out of business,” says David Monahan, research director for security risk at Enterprise Management Associates, a data management consultancy.
Cyber security experts say the best defence is to be prepared, but they warn that companies are not always aware of the weakness of their protection systems.
A study of 102 UK financial institutions and 151 retail organisations conducted this year by IT security firm Tripwire found that 40% said they would detect a breach within two or three days of its occurrence. “Unfortunately, real world breach data tells a very different story,” says Dwayne Melancon, chief technology officer at Tripwire. Organisations tend to find out late, often after being contacted by law enforcement sources, or after information is publicly leaked via a ransom note on twitter or posted for sale on the “dark web”.
“[Companies] are fooling themselves,” says Melancon. “That is my concern, that they have a false sense of their own capacity and think they are better than they are.”
Don’t be a Target
If data has been lost, keeping the story to yourself or minimising details can make things even worse – as US retailer Target found out in December 2013 after a hacker made off with the personal data of up to 110 million customers.
Thought to be the biggest known internet credit card heist, company officials are said to have reported the incident only after web security blogger Scott Krebbs broke the story online. Analysts have estimated the breach will cost Target $500m to $1bn in lost sales, with comparable store sales having already fallen by 2.5% in the fourth quarter.
Target's reputation has taken a hit, surveys show, and the company is facing lawsuits and accusations that it waited too long to disclose that its system had been hacked. Hundreds of complaints and class-action lawsuits have been filed. Target now has to deal with state regulator inquiries, as well as shareholder actions alleging wrongdoing by company leadership.
Beyond a damaged brand and decreased sales, consequences could also include loss of third-party partnerships and contractual penalties imposed by customers, partners or service providers.
The pervasiveness of media and social networks means that news of data breaches spreads uncontrollably. Risk consultants advise getting out in front by having a pre-planned response strategy in place that speaks directly to affected customers. Such strategies should include a carefully drafted letter laying out the basic facts, as well as detailed scripts for call centre personnel, updated information pages for the company website, training for frontline employees, and the engagement of a public relations firm to respond to media inquiries.
Companies are also rushing to take out specialised cyber risk insurance policies which cover the costs of notifying customers and offering them credit monitoring services. These policies can also cover defence costs and damages for any resulting lawsuits, with some insuring any data or systems lost or destroyed as a result of a hack. Some policies may also cover any resulting loss of revenue, or even damage to a company's reputation following a data breach.
Data breach laws
Suffer a data breach involving personally identifiable information and your company may find itself under some kind of government-mandated disclosure requirement.
Data breach notification laws have already been adopted by many countries, including Germany, Russia, India, Chile, Brazil and Mexico. Asia Pacific is perhaps the fastest moving region, with laws recently passed in Singapore and India, along with substantial reforms having won passage in Australia and Hong Kong.
The UK government has launched its Open Data strategy that seeks to promote the sharing of public sector data with citizens, other government departments and the private sector. And through its Midata scheme it also seeks to give consumers greater control of, and access to, their data processed in the private sector.
At present, the European Union only requires telecommunications companies to adhere to data breach notification laws, although this is to be extended to all sectors if the proposed Data Protection Regulation is passed, something expected by the close of 2014.
The US approach to data breach disclosure is overly complex – with 46 states currently having varying laws. An overarching federal approach to data protection – ensuring consumers have transparency and choice over where they spend their money – has been proposed but is languishing before Congress.
Similar in design to the proposed EU legislation, the US proposals have provisions regarding who must comply with the law, definitions of “personal information”, what constitutes a breach, requirements for notice, and exemptions (such as with encrypted information). Individuals will need to be told what data is held and how it is being processed, usually achieved by layered data privacy notices, provided to the individual before data collection occurs.
This all bodes well for the consumer – but with privacy laws still often vague and fragmented, the onus is on business to go beyond minimum compliance standards.
Finding the right data security solution for your company can be a daunting task, and yet there some very basic steps that begin the journey.
First, says James Cortada, a senior research fellow at the University of Minnesota who has written on the history of information in society, know what is most critical to the company. Is it intellectual property, customer data, reputation or patents? In other words, understand your risk. “Most companies do not,” says Cortada.
Next, Cortada says companies should update security for mobile computing and use of the cloud. Collaborate with other users of data to learn new methods of security inside and outside your industry. At the same time, make a senior executive responsible for data security and have the chief executive frequently communicate the importance of security to the entire organisation. Last, establish and enforce security standards with business partners, customer organisations and consumers.
New encryption software that turns personal information into unusable code is one option to secure data. Another is the increasing use of big data – an approach that involves the ability to gather massive amounts of digital information to analyse, visualise and draw insights that can make it possible to predict and stop cyber attacks.
The approach centres on real-time detection enabling quick, adaptive capabilities across mobile, social and online platforms. It requires “better software that can adapt to the threats it faces but also skilled programmers, engineers, system testers and other cyber security professionals,” says Michael Endsor, author of research company VisionGain's “Top 20 Cyber Security Companies 2014” report.
With cyber-thieves becoming more aggressive, consumer expectations are only rising, and the private sector cannot afford to be complacent.
Best practices for information security are covered in a number of security frameworks such as SANS 20, ISO 27002, COBIT and recent publications from National Institute of Standards and Technology.
The banking sector has a set of global guidelines and a robust network of shared threat information coordinated by the Financial Services Information Sharing and Analysis Center, a membership association launched in 1999.
Retailers in the US recently convened a similar task force through the Retail Industry Leaders Association. Similar efforts are taking place across nearly all sectors, including pharmaceuticals and healthcare.
Preventing data breaches
Threats from cyber attacks have increased dramatically over the past 10 years. In response, spending on information security has exploded, and was estimated to reach $60bn globally last year, according to Gartner, a leading technology research firm.
Funds are required to enhance a properly trained security staff equipped with an inventory of resources. A successful defensive posture can thwart even the most advanced cyberattacks.
One important tool to protect against identity theft is strong second-factor authentication – a higher level of protection that requires the attacker to provide additional information beyond the “single” username and password scenario.
Complementing this, network segmentation – the process of separating networks containing sensitive information from those that do not – makes important resources minimally accessible to computer systems that have a need to reach them.
Whitelisting is a technique that allows only a specific set of software to be installed on computers. If malware is installed on a computer, it will not match the "whitelisted" set of software and be rejected. This might have prevented the December 2013 attacks on Target.
In addition, carefully monitoring network traffic with intrusion detection and intrusion prevention systems (IDS/IPS) could allow security analysts to detect the unauthorised network traffic patterns used by the attackers.cyber attacks cybercrime data leaks data security technology