The threat is real and it’s growing. Then why are so many organisations still so vulnerable? Can and should businesses be doing more to protect themselves (and their customer and employee personal data), given the massively damaging effects of cyber crime and data loss? The answer, of course, is yes. A few weeks ago, phone and broadband service provider TalkTalk reported that its profits had more than halved, dropping to £14 million compared with £32m a year earlier. The reason? Last October’s cyber attack on its systems, which led to the personal data of more than 150,000 people being accessed, is estimated to have cost the company £42m. More than 100,000 subscribers went elsewhere. That data breach included the loss of names, phone numbers, email addresses and more than 20,000 bank account numbers and sort-codes. The threat is real.
‘Failing to take cyber crime seriously’
While TalkTalk was discussing the financial hangover resulting its serious data breach – its chief executive told the BBC “we have significantly increased our spending on security” – the organisation Swift, which oversees the messaging network used for money transfers by financial institutions around the globe, warned of a cyber attack on a big commercial bank. This was similar to the attack in February that saw US$81 million stolen from the Bangladeshi central bank. The attackers, Swift said, appeared to possess a “deep and sophisticated knowledge of specific operational controls” at the bank that was being targeted, and they may have been helped by “malicious insiders”. As you’re probably aware, an increasing number of studies and reports point to the security threat posed by such insiders.
Also in May, a report by lobbying group TheCityUK, sharing the findings of a six-month review into cyber security, accused the UK financial sector of “failing to take cyber crime seriously” and described the industry as “the perfect target” for cyber attacks. Mark Weil, chair TheCityUK’s cyber task force and chief executive of insurance brokers Marsh said the UK government and its agencies had already started taking action, “However, outside of a very few firms, we do not yet see cyber getting the attention it needs from business leaders.” The risk faced was described as “large” and “systemic”. This threat is growing – yet the response from those under threat still seems muted.
‘It couldn’t happen here’
Is this inactivity and attitude pervasive? Does it reach from larger institutions through mid-market organisations to SMEs, the notion “it couldn’t happen here”? My concern is yes, that may be the case. And, as has been said many times, the ubiquity of cloud apps, not to mention the continued rise of cloud-based infrastructure services, mean many more routes and openings emerge every day for attackers to exploit. Indeed, while securing apps is today’s focus, the next generation of cloud security and identity access will focus on securing Infrastructure as a Service provision for enterprises. By which time, IaaS will be so entrenched in an organisation’s operations, threaded through its own DNA, that hacking, malware, denial of service, data loss and so on would have potentially catastrophic effects. It really is time to get serious about cyber security.