The British government has announced that nearly half of all UK businesses had identified at least one cyber security breach or attack in the last 12 months. The Cyber Security Breaches Survey 2017 details the business action on cyber security and the costs and impacts of cyber breaches and attacks. The survey, which was completed by 1,500 UK business and included 30 in-depth interviews, comes hot on the heels of yesterday’s report on cyber-attacks from the British Chamber of Commerce.
The results from the BCC revealed that one in five business had fallen victim to cyber-attacks in the past year. Having surveyed more than 1,200 businesses across the UK it was found that large businesses are more likely to become the victim of a cyber-attack than their smaller competitors.
Both surveys unveil a shocking truth that cyber criminals are targeting businesses of all sizes in the UK with the threat increasing day by day. It was found that the most common breaches or attacks were through emails which was followed by viruses and malware, with the prices to rectify cyber-attacks ranging from the thousands to the millions, meaning companies must be adequately prepared for all forms of attack otherwise the costs could be detrimental.
Anton Grashion, Managing Director-Security Practice at Cylance feels that the results are “an underestimate”. He continues saying, “this assumes they even know they have been hit, secondly people are more likely to under-report. Evidence of our testing when we run a POC with prospective customers is that we almost invariably discover active malware on their systems so it’s the unconscious acceptance of risk that plagues both large and small businesses.”
With the government committing £1.9 billion to cyber security, the view is certainly to make the UK the best protected nation within the cyber landscape, but are the businesses doing enough to protect themselves.
The onus to make sure a company is secure should be a mindset that is adopted by all employees including those at the board level. This is a view supported by Phong Le, Manager at Synack who demands that “executives at the top need to stop outsourcing security risk to the IT department. The good news is that we’re starting to see business leaders being held accountable for data breaches. Negligence hurts compensation. Negligence also cripples business earnings. Although regulations like GDPR are a step in the right direction, let’s not make the mistake of being compliant for compliance sake. Leaders need to do whatever it takes to avoid security down time because in the end, it hurts the bottom line.”
Experts from the IT Security industry which include, Imperva, FireMon, Lastline, Corero Network Security, Tripwire & NuData Security were all on hand to comment further on the governmental reports.
Paul Edon, Director at Tripwire claims, “many businesses still remain unprepared for a cyber-attack because it’s difficult to prepare for something you don’t understand, can’t visualise, and haven’t experienced. He adds, “The dynamic nature of cyber attacks often makes it hard to pinpoint a root cause, and so executives with a desire to prepare are faced with choices, rather than clear actions to fund.”
For Paul, the top three measures a company can take to mitigate cyber risk are:
Start by understanding the risk you have. You have to conduct regular, preferably continuous, assessments of configuration and vulnerability risk across your IT systems. The attackers will be doing the same.
Don’t ignore the simple, best practices. Keep software up to date, apply security patches, change passwords, and make sure terminated employees and contractors don’t have access. This security hygiene goes a long way to making the attackers’ job more difficult.
Train your employees on how to recognise a scam. Much of cyber security is about human nature and social engineering. Training must be ongoing because the attackers change their tactics.”
Robert Capps, VP of Business Development at NuData Security believes “It is revealing that the report finds one in five businesses have been hacked, and that only 24 percent have protective measures in place. The inevitable conclusion, even though the correlation isn’t made in this particular report, is that companies are still slow to respond to the risk of cyber attack until it happens, at which point, then they acquire necessary protections. A situation which leaves companies vulnerable and only perpetuates the risk of cybercrime online.
The report indicates that enterprises are more likely to be attacked than SMB’s, yet defines a large company as over 100 employees. Other reports, such as the Symantec’s 2016 Global Threat Report indicate that only 35 percent of cyber attacks target large enterprises over 2500 employees. Whatever the exact breakdown is, SMB’s are typically less prepared than larger enterprises which usually have large fraud and security teams in place. Enterprises present bigger targets and are hit with different sorts of attacks. No matter what their size, all businesses should take note that computer intrusions and hacking are now a fact of life. Small or large, companies should ensure that they have appropriate incident response processes and preventative measures in place and make sure that there are no single points of failure in the response chain. All online businesses should make ensure that an appropriate accounting of actions, impacts, and learnings are provided to senior management, so improvements can be instigated. Poorly managed computer intrusions lead to most unmitigated data theft incidents, such as we’ve seen in recent high profile breaches.”
Stephanie Weagle, VP at Corero Network Security states that “attackers will always find new exploits, and new attack methods of disrupting financial opportunity, extortion, accessing personally identifiable data, and disrupting an organisations online availability. Cyber-attack activity is prevalent today, more than ever – especially when it comes to DDoS attacks.
“While the Internet has been fighting off DDoS attacks for over a decade, these denial of service attacks are taking centre stage as the techniques have become much more sophisticated in nature. Coupled with the ease of securing DDoS-for-hire services, access to massive botnets, and unlimited motivations we are seeing a far more dangerous concoction of attacks taking down major institutions.
“This elevation of risk comes at a time when DDoS attacks continue to increase in frequency, scale and sophistication over the last year. 31 percent of IT security professional and network operators polled in a 2017 survey conducted by Corero experienced more DDoS attacks than usual in recent months, with 40 percent now experiencing attacks on a monthly, weekly or even daily basis. To alleviate this problem, 85 percent are now demanding additional help from their ISPs to block DDoS traffic before it reaches them.
“The biggest DDoS risk factor, which was cited by almost half of the respondents (45 percent), was the potential for loss of customer trust and confidence. Lost revenues were also a serious concern (cited by 17 percent), while malware infection (15 percent) was also seen as a potential problem.”
FireMon CTO, Paul Calatayud feels that the results are “only the tip of the iceberg.” He continues saying, “as a cyber defender my entire career, this static tells me half the story given that half of those that were surveyed and responded with the belief they were not hacked simply are not aware that they may have been hacked and were never aware. This can be supported a number of ways but one alarming statistic is that the average hack usually is not detected for longer than 209 days.
British business need to realise there is an entire global cyber criminal economy that out earns the illegal drug industry in terms of revenue. And as such, cyber programs need to wake up and adapt into a detect and response approach that places equal investments in prevention as it does detection of hackers.”
CTO and Co-founder of Imperva, Amichai Shulman added “our experiences show that 100% of businesses are under attack. With 20% of companies being breached while only 24% believe they have proper security stance we can only repeat the cliché that there are two types of business those that have been breached and those that don’t know that they have been breached yet.”
Marco Cova, Senior Security Researcher at Lastline gives a few pointers on where companies can improve security
- Companies should help customers enforce safe password practices
- Companies should keep customer credentials safely encrypted such that if they are compromised at some point, the damage to their customers is at a minimum, whether that threat comes from the inside or the outside of the organisation
- Remaining vigilant in enterprise-wide patch management to keep all application and operating system patches up to date is crucial
In addition “companies should also ensure a comprehensive malware defence strategy which uses behavioural analysis of files versus the first-generation method of signature-based identification. Signature or hash based identification is becoming obsolete by the malware development community’s ability to iterate on variants faster than the malware databases can keep up. These new innovations in malware allow this environment-aware code to lay in waiting for long periods of time, within the enterprise, until such time as the attack sequence is optimal. This single trend changes everything.”