As many of the world’s largest companies are beginning to realise, the threat to their margins, their brands and even their continued existence from cyber attacks is no longer an abstract risk they can ignore.
Indeed, safeguarding the interests of the business community has become a critical national security issue for some of the West’s biggest powers.
The danger of cyber attack, cyber espionage and cyber crime is finally beginning to loom large in boardrooms across the developed world after a blitz of publicity around the issue – from the attack on state oil company Saudi Aramco in August 2012 to the data theft from Target, the US retailer, in 2013. But cyber security is still a threat ill understood and even more poorly dealt with.
As a case in point: the chief of one international defence contractor – an organisation with intimate governmental links on both sides of the Atlantic – recently discovered that his personal home laptop had been the object of a security breach.
IT engineers at his company, the chief executive told the FT, had identified software on the computer that was logging his every keystroke, and surreptitiously beaming all data it gleaned about his personal life back to an unknown attacker.
The exact purpose of the breach and intent of the attack remain unknown, but its implications are clear: in a rapidly evolving, increasingly boundless digital world, the cyber security threat is pervasive, sophisticated – and deeply underestimated, even among those who should be most aware of it.
“Cyber has evolved over the past two to three years and there’s now a realisation of a clear and present danger to [blue-chip] companies,” says Mark Brown, director of risk and information security at EY’s cyber security division.
“For years, companies looked at this as a technical risk that their IT departments should deal with and solve. What they are now realising is that this isn’t just a tech issue, but something that affects the entire business. Brands that have taken years if not decades to build can be destroyed in seconds.”
The range of cyber threats facing most businesses can be broken down into five principal categories, say analysts.
First, are attacks from “lone wolf”-type amateurs – gifted teenagers who might have nothing better to do in their spare time than to compromise the networks of multinationals. Though seemingly trivial, such attacks are often among the most difficult to detect and combat, since the individuals conducting them can be both motiveless and persistent.
Second, are attacks conducted by so-called “hacktivists” – which often take the form of politically or morally inflected versions of lone wolf attacks. They are by nature more challenging to cope with, however, since those conducting them rarely act alone, but work in concert.
Breaches by hacktivist groups often entail humiliating or vandalising a company, invariably for political aims because of its perceived moral or ethical transgressions.
The third category of cyber attack is the most prevalent: fraud and criminal activity. Banks and retailers, in particular, have been lucrative targets for individuals and organisations seeking to exploit the vast troves of consumer data such organisations hold.
One of the chief problems facing the combating of such activities – often undertaken by highly skilled and well resourced criminal organisations in areas such as Russia and eastern Europe – has been the willingness of financial organisations to write off digital fraud and crime as part of the natural “friction” of doing business in an online world.
By doing so, big businesses risk underpreparing for far greater cyber challenges in the years to come, experts say.
In addition, criminally-motivated cyber breaches are not just related to cyber theft, but can increasingly involve market manipulation. One international lawyer says he is aware of attacks that targeted his and other similar law firms to mine information on merger and acquisition activity in London and New York.
The fourth area of attack is industrial espionage. Such attacks are among the most sophisticated and also the hardest to detect, since their economic impact is invariably indirect. More insidious still, those behind such attacks are as likely as not to be states or organisations closely affiliated with them.
Several developing-market economies have state-linked groups whose purpose is to steal valuable intellectual property from companies in developed economies to help bolster their countries’ own fledgling industries. In one breach last year, security officials in the UK say a company lost intellectual property worth more than $1bn to foreign actors in a single, sophisticated act of cyber industrial espionage.
The fifth area may be the least common of all cyber attack risks, but it is potentially the most catastrophic for the largest and most developed companies. Any organisation of systemic importance will inevitably be subject to it: compromise by the offensive cyber warfare activities of a foreign state.
“If the US department of defence can be infiltrated by foreign powers, then you can bet any large company can be – much more easily,” says one cyber security practitioner.
Companies whose business is related to critical national infrastructure need be particularly wary. Though it is nearly four years since news leaked of the Stuxnet attack that infiltrated and impaired Iran’s uranium enrichment centrifuges, few in the developed world have reflected on that attack and seen similarly gaping vulnerabilities in their own Scada – supervisory control and data acquisition – networks.
What is clear is that the frequency of all such attacks has increased significantly in recent months. According to Symantec, the cyber security firm, the number of data breaches rose 63 per cent in 2013, resulting in the exposure of more than 552m identities worldwide.
There were eight “mega breaches”, each involving tens of millions of stolen data records, compared to just one in 2012. Targeted cyber espionage attacks against companies rose by 91 per cent.
Defence and cyber security officials in government and the private sector say it is now inconceivable for a modern, large or even mid-cap company not to have been the target of a cyber attack. The only factor is whether it has had to disclose it publicly or not.
However, what should concern many in the corporate world is not just the growing number of attacks, but also their sophistication – and the extent to which, increasingly, the highly developed cyber techniques used by the best resourced, state-backed cyber attackers are filtering down the spectrum.
“Technology that we previously saw being used against governments or defence contractors is now being used against more regular companies,” says Scott McVicar, managing director of cyber security at BAE Systems Applied Intelligence. “It’s a global issue and the prizes are high.”
What can companies do to target such fast-growing digital risks?
Undoubtedly, that is a far harder question than merely admitting the size of the threat faced. One piece of advice most companies fail to heed in the first instance is the futility of just “tooling up”, in the words of one cyber expert. “So many companies have wasted money on grand schemes to try to persuade themselves they are defended,” he says.
The reality is that no system is secure. No matter how secure the cyber fortress, attackers will always find a way in.
What matters, then, is intelligence – trying to gain an insight as to when and where attacks are likely to hit – and preparedness, in having the ability rapidly to deal with them.
Verizon and PwC report growing threat and cost of breaches
Two significant pieces of research published at the end of April give insight into the growing threat of cyber crime, writes Andrew Baxter.
Last year may be remembered as the “year of the retailer breach”, but a comprehensive assessment suggests it was a year of transition from geopolitical attacks to large-scale attacks on payment card systems, say the authors of Verizon’s 2014 Data Breach Investigations report.
The cyber attack in December on Target, the US retailer, was “vying to become the event for which 2013 will always be remembered”, says the report.
But other US retailers in the line of fire included grocery retailer Schnucks (a point-of-sale data breach in April); another grocery chain, Raley’s (payment card systems breached in June); tool vendor Harbor Freight (data breach in July involving customer records): and upmarket store chain Nordstrom (discovered skimmers on some of its cash registers in October).
The report identifies nine basic patterns that cover 92 per cent of the 100,000 security incidents they have looked at over the past 10 years. These are: point of sale intrusions; web application attacks; insider misuse; physical theft/loss; miscellaneous errors; crimeware; card skimmers; denial of service attacks; cyber-espionage; and everything else.
A pie chart shows how the frequency of these types of incident varies across different target industries.
A second report, the 2014 Information Security Breaches Survey has been conducted by PwC for the UK’s Department for Business Innovation and Skills and was published in late April.
It found that the number of security breaches affecting UK businesses decreased slightly in comparison with early last year. However, there has been a significant rise in the cost of individual breaches, and the overall cost of security breaches for all type of organisations has increased.
Richard Horne, PwC cyber security partner, says: “Cyber crime continues to be a major threat to UK businesses and the government has identified cyber attacks as a tier one national security threat. Our recent global economic crime survey found that 45 per cent of respondents from the financial services sector were victims of economic crime, with 39 per cent victims of cyber crime, as fraudsters increasingly turn to technology as their main crime tool.
“The good news is that UK companies are taking cyber security more seriously and the government is keen to do more to encourage businesses to protect themselves.”
Among other findings from the PwC report:
● The overall investment in security as part of total IT budget is increasing across all sectors, with even the most frugal sector’s investment increasing.
● There has been a marked increase in spending on information security in small businesses.
● Organisations are making risk-based decisions about the introduction of mobile devices in order to facilitate more flexible ways of working.
● Confidence about the availability of security resources has increased.
● Seventy per cent of organisations keep their worst security incident under wraps.
● The average cost of the worst breach suffered has risen significantly. For large organisations it has gone up from £450,000-£850,000 to £600,000-£1.15m. For small businesses it has nearly doubled, from £35,000-£65,000 to £65,000-£115,000.
Copyright The Financial Times Limited 2014