Cyber risks are now in the top three concerns for UK businesses. According to insurer Allianz’s annual “Risk Barometer” survey, worries over cybercrime, IT failures, espionage and data breaches are up significantly in the last year, to third from seventh place a year before. Globally it has also risen – to number five.
Partly, this is down to coverage of big attacks, admits Allianz Global Corporate & Specialty head of fidelity Nigel Pearson. From the hacking of Sony Pictures Entertainment, allegedly by North Korea (according to the FBI), to losses at US retailers such as Home Depot, where 56 million payment card details were exposed, cybercrime was rarely out of the news in 2014.
It was also the year of scares that came with fantastic sounding names such as Poodle, Shellshock and Heartbleed. Take into account the recent hacking of the Pentagon’s Twitter and YouTube accounts and networking giant Cisco Systems’ warnings that more than half of the websites affected by Heartbleed remain vulnerable nine months later, there is little sign of that letting up in 2015.
But high-profile attacks and cyber’s prevalence on businesses’ risk registers are also a symptom of an everyday challenge.
In January, a survey for the British Retail Consortium showed most retailers reporting a rise in cyber-attacks.
More widely, Pearson points to The Information Security Breaches Survey published by the Department for Business, Innovation & Skills (BIS) last April. This showed 81 per cent of large organisations and 60 per cent of small businesses reporting a cyber breach in the last year.
“The simple fact is that organisations know they are having breaches,” he says. “It’s their own experience, as well as media coverage of some of the big attacks, that’s driving interest.”
In this context, the big stories are useful reminders of both the range of risks – from straightforward theft and fraud, to corporate espionage and “hacktivism” – as well as the difficulty of keeping intruders out for even the biggest companies.
A growing business
Part of the problem is that cyber criminals are increasingly organised. Recent years have seen a commercialisation of the cybercrime support industry, noted a report by EU police agency Europol’s European Cybercrime Centre in September. Those with technical expertise are offering “crime-as-a-service”, selling it on to enable those without to undertake more sophisticated attacks.
“Go back a few years and it was hobby hackers behind attacks, but with time they’ve realised they can specialise in one aspect and work with others specialising in others. It’s the traditional industrialisation of an industry,” explains Adrian Nish, head of cyber threat intelligence at defence and security group BAE Systems.
This is another reason why high profile attacks are worth keeping an eye on for everyone – particularly if they break new ground or exploit previously unknown vulnerabilities. As Richard Horne, cyber security partner at consultants PwC, says, “There is a criminal market in tools and techniques, so once a tool has been used in one attack it is typically available to others.”
The increasing sophistication of attacks has also coincided with other trends, Horne adds.
First, there has been an increasing reliance on digital processes and a growing interconnectedness – take, for example, the rise of cloud computing and staff bringing their own devices, such as mobile phones and tablets, to work (the “bring your own device”, or BYOD, trend). This has seen a rise in the number of potential access points for attackers. At the same time, there is greater scope for mass breaches of customer data or other sensitive information due to the trend to digitise and consolidate information.
“It all means the potential impact in terms of the scale of breaches is growing,” summarises Horne.
The costs and economic impacts of cyber attacks vary widely, but the 2014 Global Report on the Cost of Cyber Crime, published by researchers at the Ponemon Institute in October, calculated the average annual cost of cybercrime to those surveyed in the UK was $5.93m (£3.90m). Overall, the Center for Strategic and International Studies put the annual cost to the UK economy in 2013 at 0.16 per cent of our annual GDP. This figure rockets up to 0.64 per cent of GDP in the US, and 1.6 per cent in Germany.
An evolving risk
The threats are ever-changing. At a general level, new malware (viruses, trojans or worms) continues to proliferate, with monitoring firm PandaLabs recently stating that 227,747 new malware samples are released each day. Trends from previous years are likely to continue, such as attacks on payment systems that saw success with Home Depot and Target, among others. Likewise, nation states are predicted to continue and increase their activity, whether to disrupt business (as with Sony) or with espionage in mind.
Security experts are keen to highlight other areas as well. One is the rise in “ransomware”, which encrypts victims’ own data so criminals can demand payment to unlock it. The last year has seen victims targeted through hazardous adverts on big-name websites such as Yahoo and AOL, and the coming year may see ransomware developers target cloud storage services such as Dropbox and Google Drive, McAfee has warned.
The “internet of things”, meanwhile, has already had a scare from Heartbleed, with internet-connected printers, videoconferencing systems and even thermostats revealed to be vulnerable, as well as websites. IT group Gartner estimates that 4.9 billion connected things (whether domestic appliances, building security systems, cars or other devices) in use in 2015 will be 25 billion by 2020.
According to David Emm, principal security researcher at security software company Kaspersky Lab, the risks are only going to grow: “As more and more areas of our life have been computerised or made digital, that has increased the risk because it is another area that cyber criminals can go after.” Concerns and attacks will also continue to focus on a range of other areas, such as the use of the cloud and vulnerabilities caused by the continuing rise of BYOD.
Fighting back
Not all technological developments are working against businesses, though. Protection is also increasing in sophistication. Nish, for instance, notes that developments in big data, with computers able to scan and analyse ever-larger amounts of information can help in the fight against crime. “It is extremely useful for detecting odd patterns of behaviour that might be a cyber attack,” he says.
The government is also putting effort into helping businesses stave off the threat. In January it announced a range of new measures including an update to its 10 Steps to Cyber Security guide for businesses and a new report detailing common cyber attacks against industry and how to stop them. It follows moves with its Cyber Essentials certification scheme, launched last June, for companies able to demonstrate they are taking specific steps to mitigate the risk of cyber breaches.
Longer-term, EU discussions also continue regarding the draft Network and Information Security directive that could introduce mandatory minimum security standards. While focused on critical sectors such as transport, energy and banking, it is likely to have a wider impact, according to Chris Forsyth, a partner in the London IP/IT practice of lawyers Fresh- fields Bruckhaus Deringer.
“Even though the directive will de- fine entities to which the obligations apply, it will only be meaningful if they are obliged to flow through those obligations with their suppliers and contractors,” he explains.
In the meantime, though, the UK government has preferred voluntary approaches, encouraging businesses to improve and to share best practice. Initiatives among the banks and financials services industry to share information on attacks and risks are held up as models that could be followed.
More to do
The government argues this is all having some impact. The Department of Business, Innovation & Skill’s annual FTSE 350 Cyber Governance Health Check, published in January this year, shows increased awareness and action. However, concerns persist, particularly around smaller firms but also even among larger, more mature entities. The Bank of England, for instance, warned before Christmas that senior bank staff were still failing to take the threat of cyber attack seriously. According to those in Allianz’s survey, meanwhile, cyber risks were the most likely to be underestimated by their businesses.
So what can be done?
First, businesses should use the tools at their disposal to make it as hard as they can for attackers.
“It is the opposite of dating; they have to make themselves look as unattractive as possible,” says Steve Durbin, managing director of the Information Security Forum, a global not-for-profit organisation that provides members with information on how to deal with cyber risks.
That will include investing in technological defences and education for staff who are so often the weak link. It may also mean altering the very way business is done.
“It requires thinking about how your business operates and almost redesigning your processes to be securable,” says Horne. “For example, do you need to send the data to a third party? Do you need to give a third-party access to your network, or could you collaborate using a cloud service and therefore not expose your network to someone else?”
More fundamentally, the lessons from high profile attacks are that even companies with the largest resources are not able to be entirely secure. A report for the Information Technology Faculty of chartered accountants group ICAEW last November supports the case that businesses are improving, addressing previous areas of weakness, including basics such as patch management, and becoming better at protecting against attacks. However, it also found cyber attackers were growing in sophistication faster.
“There is a growing gap between business capabilities and cyber attackers’ capabilities,” warns ICAEW’s head of IT faculty Richard Anning.
While businesses must do all they can to protect themselves, he says, a key part of the planning must also be to prepare for the worst and plan for what happens when attackers do get in. “You have to assume you are going to be compromised,” he says. As Durbin puts it, “It is not a case of if, but simply when.”
Peter Davy is a freelance writer