Companies ill-prepared for cyber attacks in 2016

2015 will be marked as the year when corporate cyber crime got serious.

Despite the fallout from the massive Sony hack at the end of 2014, the year began with chief executives in the UK regarding cyber crime as the IT department’s problem and ended with a series of highly publicised corporate hacks leaving company heads looking like rabbits staring into the car headlights.

In October, Dido Harding, chief executive of UK broadband and telecoms supplier TalkTalk found herself trying to explain how her company had allowed the confidential details of over 150,000 customers to be accessed. In mid-December she conceded to a Parliamentary Committee that cyber security was ultimately the responsibility of the chief executive and the board.

Other highly publicised attacks during 2015 included the US-based dating site Ashley Madison, which publicly exposed the private philanderings of many of its members, a significant proportion of whom received blackmail threats.

But these high-profile hacks are only the tip of vast iceberg of corporate cyber crime. For example, for nearly six months, a three-day cyber attack on JD Wetherspoon went undetected. The names, personal information and some credit card details of 656,723 customers fell into the hands of a Russian hacking group and no one at the UK pub and hotel chain knew about it. They eventually discovered the attack in late 2015 and the hospitality company addressed the issue.

The customer data was stolen from the company’s website and patrons who logged on to free WiFi at JD Wetherspoon pubs. The hack took place over three days, but the mass of stolen data and the company’s inability to protect information and notice it straight away, is one of many examples of companies falling victim to an attack under a deluge of threats.

These cyber breaches and the companies’ concerned slow reactions to the fallout from a high-profile hack reveal how unprepared most organisations are for coping with the immediate aftermath. A recent study from the Ponemon Institute revealed that 75 per cent of businesses are not prepared for a cyber attack, while only 25 per cent believe they are cyber resilient and 32 per cent think they could adequately recover from an attack.

Dealing with the bad publicity and reputational damage resulting from a cyber breach is only one of the challenges a company that has suffered a major breach exposing customer details faces. Once confidential data has been stolen and put up for sale on the Dark Web, the company may find it has a number of additional legal challenges to face. Part of the recovery includes the lawsuits and consistently large victim payouts.

To cover these sums, companies rely on data privacy and cybersecurity insurance. These policies can lighten the financial burden for a company facing millions of dollars in settlements. Cyber insurance is, however, still in its infancy. While cyber insurance may cover claims from disgruntled customers whose details have been put up for sale, insurers in the UK are generally reluctant to cover the kind of claim that might result from a major cyber attack designed to siphon large sums from the company’s bank accounts. The reason is that cyber coverage is a relatively new risk for insurers to get to grips with and most feel that there is insufficient actuarial information on which to base premiums.

There are endless tables and spreadsheets evaluating the risk of, for instance, fire. But insurers are wary of open-ended policies that could leave them liable for losses calculated in the billions. According to some industry estimates, cyber crime worldwide is costing between $1 trillion and $2 trillion dollars a year.

Companies should now take steps to prepare for a cyber security breach

But at whatever level companies may be insured, companies should now take steps to prepare for a cyber security breach. For most companies this will be a question of when and not if. All organisations should have an Incident Response Plan (IRP) in place. This plan, just like a fire evacuation plan, is preventative and precautionary.

It should be well-organised, thoughtful and run at least once a quarter as a drill, just as a fire drill prepares people for the worst. Knowing the exact steps of how to respond to a cyber attack will lessen its effects and give any company peace of mind.

Staff must also be educated on the ever-present danger of a cyber security breach. Many workers are still unaware of the dangers of cyber threats. In a company like JD Wetherspoon, where the focus is on the physical business of running pubs, restaurants and hotels, cyber threats are harder to catch. Many smaller technology companies also struggle to keep up with potential attacks as they focus primarily on business gains, letting cybersecurity fall to the side.

In a changing digital landscape, that awareness needs to sharpen. Employees should be vigilant of threats, know the warning signs, be digitally educated and receive training on safe cyber practices. With even the most basic training, the employees, who became victims and a gateway to hackers, would have been more knowledgeable about what to be more attentive about when using the computer. Training employees also alerts them to their own personal cyber protection.

Expert cybersecurity vendors analyse a company’s weaknesses and fortify its protections. Cyberint runs ‘cybersecurity posture checks’ on companies, simulating real life, complex attack scenarios. While continuously monitoring the companies’ online assets - web site, social media platforms, their supply chain and more, in order to ascertain their weak spots open to hackers.

Continuous checks ensure the hackers stay out and that changes within the company, their employees and new systems used, don’t make them vulnerable to hackers.

Elad Ben Meir is VP of marketing at CyberInt

Photo Credit: Sergey Nivens/Shutterstock