Despite efforts to improve cyber security, recent attacks suggest there is a lot of work still to do.
The first national cyber security strategy was published by the Cabinet Office in 2008, and adopted in 2010. One of the major planks in the cyber strategy was to encourage major British businesses to upgrade their cyber security.
Given recent announcements in the press it seems like a lot of British businesses are not quite there yet. Recently the CEO of TalkTalk had to publically apologise for a major cyber security attack which was the third within 12 months. Originally there was speculation that the cyber attack was mounted by professional Jihadi hackers although recent developments (which have not proved) seem to point to the fact that the cyber attack was perpetuated by a 15 year school boy and 16 year old school boy. If these allegations are proved correct then there is obviously serious questions surrounding TalkTalk’s cyber security strategy.
Equally Morrisons are facing claims from a large number of their employees relating to their personal data going missing.
There is anecdotal speculation amongst experts in cyber security that ransom and other types of attacks occur regularly and are simply swept under the counter rather than disclosed.
This was the case in California until legislation made it compulsory for companies to disclose cyber attacks. It was only then that the true scale of the cyber security problem became apparent.
Similar legislation is being proposed by the EU in the form of the Networks Directive which may or may not enter into force next year. The Network Directive will require Member States to compile of their critical infrastructure providers. In the UK this will almost certainly include the financial services sector and crucial service providers such as air traffic control, power generation companies and telecom companies etc. There is still much debate as to whether social media providers such as Google and Facebook should also be included on these lists.
The consequence for a company after a major cyber attack can be very significant. These include a loss of customer or employee trust and confidence. This is evidenced by the fact that TalkTalk customers are looking to terminate their contracts and Morrisons employees are looking to sue for damages over data theft. A drop in share prices as a result of the publicity and most significantly investigations and possible civil and criminal sanctions by the regulators coupled with follow on civil actions for damages.
So the question which needs to be asked is why do companies tend to get cyber security so wrong?
There seems to be a large degree of false consciousness amongst IT directors and company boards who run companies as to the standard of their data security. Phrases such as “we take the protection of data very seriously” and “maintain adequate security systems” spring to mind. The fact is no security systems will stop a determined cyber attacker. An attacker with the right resources is able to hack high security facilities such as the pentagon. This being the case commercial companies can never be sure of stopping an attack getting through.
However, what they can do is make sure they exercise vigilance and that they are able to put measures in place to counter an attack as soon as they see it building or recognise that it is occurring. Again, accordingly to anecdotal evidence it has taken companies up to two days or more to work out that they are being attacked and then to try and put measures in place to limit or prevent the damage.
Most companies that have suffered a serious attack again tend to not publicise the fact that it has happened. For example a large Middle East entity was hit with a significant state sponsored cyber attack a couple of years. It had been told by several major cyber security specialists that the attack was building but despite being forewarned before it happened undertook no measures to counter it. This resulted in major damage to the companies IT system.
Therefore it is crucial for a company to bring in outside specialist to counter the attack as soon as they know it is building.
It is also critical for the attack to be properly investigated in order to understand how the breach occurred, whether the hackers received any help from inside the organisation and also to gather evidence to present to a regulator to show that there in general there were adequate systems and procedures in place but on this occasion an attack managed to circumvent them and also to set out to the regulator and to other stakeholders such as shareholders what measures are going to be taken to prevent a reoccurrence of the attack.
Also in the case of attacks on critical infrastructure there may be a need to liaise with the intelligence services and the police in order to make them aware at a very early stage that the attack is happening, they may then be able to assist in preventing the attack and also prevent similar attacks on other critical infrastructure providers.
Also there is a need to get the correct communications message out to the public. It is trite for the CEO to appear on TV and say that in the aftermath of an attack where customer data has potentially been stolen and may be used to the detriment to the customers that the customers themselves have a duty to be vigilant and that “we are all in this together” and that the situation is we are all in it together.
The fact of the matter is that all measures should be taken by companies including the encryption of customer data to ensure that if it is stolen it is difficult for hackers to use or sell on. Also assistance should be given to customers to manage the fallout from the loss of their data. Companies who do not follow these simple guidelines risk catastrophic consequences which would ultimately include being put out of business.
Cyber is one of the serious threats facing companies and cyber strategy should be dictated and monitored at board level and constantly updated. The sad fact of the matter is that companies tend to put compliance strategies in place and then turn them into box ticking exercises rather than then being an integral part of the Boards governance strategy.
The only thing that can be said about cyber with complete certainty is that there is going to be an increase in cyber attack on companies both by state sponsored operators and by criminals or pressure groups who wish to use cyber attacks to further a particular issue or cause. Furthermore, it is clear that companies who face a cyber attack also face a number of other threats including those of regulatory sanctions, criminal and civil penalties, follow on civil actions, and damage to reputations and share prices.
While the fact that companies may not be able to be 100 per cent certain of stopping cyber attacks it does not mean to say that they should take more adequate measures to prevent or mitigate them. It is also clear that going forward we are likely to see a new raft of legislation surrounding cyber along the lines of the proposed EU Network Directive.
Mike Pullen, partner, Stephenson Harwood