As if businesses haven't got enough to worry about, with COVID and Brexit causing issues throughout the UK, there are also other threats to consider.
Cyber-attacks are in the news again, but they are nothing new. First seen in 1972, the intrusions are now far more dangerous. Last May, colonial pipeline- which operates a pipeline that carries 3,000,000 barrels of fuel a day between Texas and New York- was the subject of a ransomware cyber-attack that shut its systems down for five days leaving the East Coast of America short of fuel. A few days later, at the start of June, the world’s largest meat processor, JBS, was also attacked by ransomware and its operations in Australia, Canada, and the US were halted.
A March 2019 report on infosecurity-magazine.com, headlined most UK retailers see increase in cyberattacks, quoted a survey from the British Retail Consortium. It found that almost 80% of respondents had seen an increase in cyberattacks. Phishing (a fraudulent a message designed to trick a person into revealing sensitive information to the attacker or deploy malicious software on the victims’ systems like ransomware) was viewed as a high-risk cybercrime by the largest number of respondents [80%] followed by data theft [50%]. Denial of service, whaling (masquerading as someone senior in an organisation and directly targeting senior or other important individuals at an organisation to steal money or sensitive information or gain access to their computer systems for criminal purposes), and web-based attacks also garnered between 40 to 50% of respondents.
Another report, from Price Waterhouse Coopers, retail outlook 2021: Cyber Security, noted that “cyber threats have become increasingly sophisticated as opportunities become more readily available and financially viable. It's no longer just rudimentary phishing scams that businesses need to be aware of”.
It continued: theft of customer data has long been a significant concern for consumer businesses… (and that) has meant the risk they face from a cyber security perspective has increased further. With human operated ransomware attacks now one of the top priority cyber threats facing organisations, consumer facing businesses must know how to defend against these new types of risk. The problem is acute reckons a government report, Cyber Security Breaches Survey 2021. It found that 39% of businesses were subjected to a cyber attack or breach in a 12 month period and 21% lost money, data, or other assets. Further, the average cost of cyber security breaches these businesses experienced was estimated to be at £8,460. For medium and large businesses combined the average cost was higher at £13,400.
Defining a Cyberattack
So what is a cyber attack? According Wikipedia the definition is “any attempt to expose, alter, disable, destroy, steal, or gain information through unauthorised access to or make unauthorised access use of an asset… that is a computer information system, computer infrastructure, computer network, or personal computer device”. this he said to match the broad definition of an offence under section one of the Computer Misuse Act 1990 which criminalises any action that ‘causes a computer to perform a function with intent to secure access to any programme or data held any computer where that access is unauthorised.'
Countering threats
It is often said there is no easy way to counter cyber threats.
Apart from an organisation zone system many say you should also look at the supply chain especially where process is may share data between different companies.
Many argue that it's important do you have an independent consultant. They urge caution against placing too much resilience on specific security products,” many of which are good, but which solve only the security issue that the particular vendor advertises.
Staff training is something else to consider; the more there is come out the lower the probability a staff member will introduce harm to the business. Training needs to be regular. There is little point in only training during an induction week… staff may be sent a malicious email containing a spurious link at any time of their employment.
It is often said the most efficient and well understood security environments our where the company has worked to develop security as part of the culture of the organisation. A combination of carrot and stick is used to great effect without defaulting to a punitive strategy on what happens should a breach occur.
And then there's the option of placing an warning on every email which a staff member receives warning them if an email has come from an external source that may be malicious. However, many often argue that is likely to be ignored as the staff member is anxious to read the email not the header let alone the repeat warning in the header.
Crucially it is important to include cyber security breaches as part of business continuity disaster recovery planning. It’s worthwhile noting that whilst some firms have been unable to continue after a cyberattack, those that have a robust incident response plan have not only been able to recover but minimise the overall impact on their business and operations.
The risks from doing nothing
For those that do nothing, and who suffer an attack, those in the legal profession first point to the fines for poor security under the civil part of GDPR - the General Data Protection Regulations. The probability of a fine is often seen as tiny, but the risk of a criminal sanction is not - criminals like regulators, have limited budgets and look for ‘low hanging fruit’. If you can make your business more secure than that of your competitors, it will be enough to persuade some criminals to look elsewhere for a softer target. Beyond that, an organisation that does nothing should expect to suffer a security breach at some point, if they have not already. But apart from implementing security it also requires some form of monitoring… and if no monitoring is implemented, firms will not know if they have been breached until the breach is made public. When this happens, there comes a natural question – “who would trust an organisation that does not take security seriously?”
And then there's the risk of corporate failure… so, when evaluating security, firms need to consider not just their own situation, but also that of their supply chain. Hackers who gain access to systems could make far more by not revealing that breach had occurred.