Why Cybersecurity is Moving up the Executive Agenda
With the final £1.8m payment made, Claudio Lotito, chairman of top Italian team football team Lazio, celebrated completion of the transfer of Dutch defender, Stefan de Vrij, with friends last week. But the celebration was short-lived. A phone call from Feyenoord the next morning enquiring after the missing fee led to the discovery that online criminals had persuaded the club to send the money to a bank account the criminals, not Feyenoord, owned.
Lazio aren’t the only business to suffer, as other high-profile attacks of the last year have shown:
- Hackers stole the credit and debit card details for 5 million consumers from upmarket New York retailer, Saks Fifth Avenue. Significantly, the data was extracted over a 10 month period with the hackers seemingly helping themselves whenever they wanted.
- Records, including phone numbers and account PINs, for 14 million customers of telecoms company Verizon, were found on an unprotected fileserver.
- A vulnerability on the Equinax website meant the personal data of as many as 140 million customers in the US, IK and Canada were widely available.
And it’s not just large businesses that are feeling the heat. A survey by Zurich Insurance found that nearly 900,000 UK SMEs suffered a cybersecurity breach in the last 12 months.
With the increasing number of attacks, and regular news items reminding us of how big and bad the problem is, it’s no wonder companies are thinking: ‘not if, but when’.
Cybersecurity is more important than ever
Cybersecurity measures are becoming more important for businesses of all size because the number of attacks is increasing, the types of threat are changing, regulations are tightening and, as a result, revenue and profit are at risk.
A survey of 1200 c-level executives found half were changing, or planning to change, their cybersecurity activities because of the increased threat from cyberattack. Many had already experienced breaches. 80% said a careless member of staff was the most likely source of attack. Worryingly, a lot of those breaches were caused by known vulnerabilities which suggests risk management planning was poor.
Threats are changing & the problem is getting worse
Cyberattack tools are readily available
On the dark web – the murky undercurrent of the traditional Internet where products from vice, through weapons to real estate are for sale – cyberattack tools are cheap and easy to find. Software for harvesting passwords can be found for $50, ransomware for $200 and malicious file encryption software, a bargain at $25. A completely new personal identity? Yours for $1100.
Ransomware is getting smarter
The principle of ransomware is straightforward: malicious code is used to encrypt business data which stays that way until the company pays up or a security vendor finds a fix. But for all the effort from vendors to neutralise ransomware before it can do any harm, or to develop smarter decryption tools, the criminals are one step ahead. Encryption algorithms are getting more sophisticated — encryption is done slowly, rather than as a big bang, to help avoid detection — and different attacks are launched simultaneously through different routes to further confuse detection software.
Shortage of cybersecurity skills
The rise in cybercrime will more than triple the number of unfilled cybersecurity jobs, which are predicted to reach 3.5 million by 2021. Since cybersecurity tools need to be installed, configured and kept up to date with patches to catch new threats, it’s easy to see how that skills shortage can translate to a bigger threat for businesses, especially smaller ones that can’t pay the unsurprisingly high salaries.
The types of attack are changing
Ever inventive, cybercriminals are finding new ways to attack. Some focus on unknown vulnerabilities in newly released hardware or software. Finding these so called zero-day threats before the vendor, means there is no effective deterrent and a high success rate for the criminals.
Business Email Compromise, also known as CEO Fraud, is a phishing scam that uses a fraudulent email to impersonate a senior executive. An employee, usually in the finance department, gets an apparently real, and usually urgent, message from a senior manager to release funds to an account the criminals hold. It can be remarkably effective and only needs to work once to net the criminals a big return.
Governments are responding with new regulations
Given the increase in attacks and the resultant threat on commerce, its unsurprising that regulators are taking a greater interest in cyberthreats.
At the request of the 2017 G20 summit, the Financial Stability Board evaluated the scale of financial sector cybersecurity regulations in the 25 FSB member countries. Each had at least one regulatory scheme, some as many as 10.
The two flagship acts in US and Europe
The Cybersecurity Act became law in the US in 2015 and has been called the most significant piece of federal cyber-related legislation ever introduced. It enables sharing of cybersecurity information between the private sector and federal government and contains measures to improve the effectiveness of federal cybersecurity activities.
Europe is heading in the same direction, with the European Cybersecurity Act having started its journey through the EU parliament in September of last year. It will inevitably result in a series of specific regulations in the coming years, meaning a bigger compliance headache for companies operating in Europe. These two acts sit alongside existing regulations that address cybersecurity including the New York Department of Financial Services Cybersecurity Regulation, HIPAA and PCI DSS.
Data protection is getting everyone’s attention
In the short term the biggest show in town is data protection.
In the EU this takes the form of the General Data Protection Regulation (GDPR), which takes effect on 25thMay this year. Although the Regulation is being introduced by the EU parliament, compliance is needed for any company, regardless of home or operating location, that stores or processes personal data of individuals from the EU.
Non-compliance can be met with hefty fines – up to 4% of turnover or €20 million, whichever is greater – and has instilled a mixture of fear and panic in businesses that operate within its scope. At the beginning of March, only 10% of UK businessessaid they were ready for thedeadline. The US equivalent is the Data Security and Breach Notification Act that entered the Senate in November. Although it has a long way to go before becoming law, the current draft contains a proposed maximum five-year prison sentence for intentionally hiding a personal data breach.
With the increase in the number of attacks and regulations, SMEs in particular stand to lose the most given their limited resources. That’s the subject of our next post.