22.12.2023
A leak of private customer data last September led to British Airways being hit with a £183.9m fine, the largest ever levied by Britain’s data privacy authority, the Information Commissioner’s Office (ICO). The fine followed the leak of login details and payment information for about 380,000 customers.
Cybercriminals had discovered a vulnerability in the Marriott Hotels chain’s guest reservation system, allowing them access to 383 million guest records and 5.25 million unencrypted passport numbers. The breach was flagged when the company’s third-party IT managers spotted an “anomaly” on the database last September. The ICO fined the company £99m.
—
Cybercrime today is not limited to desktops and mobile phones. The rise of connected devices has led to new opportunities for cybercriminals – in 2017, hackers attempted to gain access to a casino’s system via an internet-connected fish tank. Now anything connected to the internet is at risk – from vending machines that report stock supplies to security cameras and heating, ventilation, and air conditioning (HVAC) systems.
But it is a mistake to imagine that cybercriminals are unstoppable, as many attacks could easily be prevented, says Bob Huber, chief security officer at Tenable.
He says: “When we look at recent successful cyberattacks, it’s rarely an advanced or even sophisticated threat that’s the root cause. In nearly every instance it can be traced back to a known vulnerability that has been exploited.
“By prioritising and fixing the vulnerabilities and assets that are likely to be exploited, organisations can regain the upper hand.”
A denial-of-service attack targets websites and online services with huge numbers of automated requests, and is designed to knock services offline.
Customer details or other private data is accessed by unauthorised individuals (either by design or by accident).
Phishing
Cybercriminals still often rely on phishing emails, where victims are persuaded to open a malicious attachment. In some cases, specific individuals are targeted (known as “spear phishing”).
Ransomware
Ransomware hit the headlines after the 2017 WannaCry attack: criminals use malicious software to encrypt data, then demand a ransom, often in cryptocurrencies such as bitcoin.
RATs
Remote-access Trojans allow criminals to take control of machines remotely – similar to how office administrators can take over a machine. They can then access other machines or install other malware.
Spyware
Malicious software that is installed on a machine to monitor activity and transmit that information elsewhere.
32% of British businesses have seen a cybersecurity breach or attack in the past 12 months, according to the Department for Culture, Media and Sport Businesses have seen the typical number of attacks rise from two per year in 2017 to six per year in 2019
78% Three-quarters of businesses (78pc) say cybersecurity is high-priority, rising from 69pc in 2016
56% More than half (56pc) of executives say their cybersecurity analysts are overwhelmed by the number of data points they have to monitor, according to Capgemini research
Cybersecurity is no longer just a worry to be dealt with by the IT department: with each passing year, it is taken more seriously at board level by companies around the world. In Britain, companies are taking notice of the enormous fines imposed for data leaks in the wake of the EU’s GDPR policy, says Ian Glover, president of cybersecurity certification organisation CREST.
Mr Glover says: “For chief information security officers [CISOs] and their boards, the stakes have got higher with the Information Commissioner’s Office flexing its muscles with some hefty GDPR fines.”
Companies are increasingly realising the importance of training, says Prof Curran: “Education is crucial – but it often takes people to make a mistake before they learn. There is a new movement where security teams send phishing emails containing fake malware to their employees, which when activated lead them to a site telling them about their mistake and educating them on the dangers of what they did.”
How well prepared companies are tends to vary by sector, Mr Tanner says. Cybercriminals tend to “follow the money”, with finance the most-attacked sector in Europe, the Middle East and Africa (EMEA), according to research by NTT Security, accounting for 30pc of all attacks. “The financial services sector, perhaps inevitably, has faced a long history of cyberattacks,” he says. “But it is equally one of the most prepared. Less so are the retail and healthcare sectors, as the recent series of hacks involving Target, Home Depot and the NHS remind us.
“Apart from sector vulnerabilities, there are key geographical differences to consider. The UK, frustratingly, continues to fall behind the curve when compared with the US. Across the Pond, business leaders have been taking the perceived cyberthreat more seriously for longer than we have in the UK.”
NTT Security’s Global Threat Intelligence Report 2019 analysed billions of attacks across 18 business industries – and found these were the five most likely to be affected by a cyber breach.
More and more of us are working from home, but there are sensible steps to ensure company data stays safe, even if you are not actually in the office.
The sheer number of connected devices in use today is baffling – but it is up to businesses to take the initiative vto protect them. “An IT department needs to understand which data is attractive to an attacker and protect it effectively,” says Mr Glover. “Then they must discover what their security weaknesses are and know how to fix them.
“The best way to do this is to simulate a malicious attack, from either inside or outside the organisation, in order to see how easy it is to break into a network or system and steal valuable data or deny access to critical assets.”
Such “penetration testing” has been traditionally associated with government organisations and large financial and corporate institutions – but it is now becoming commonplace among medium-sized businesses, non-governmental organisations and the wider public sector.
Companies also need to take a more holistic approach to protecting devices, says Aaron Hopkinson, product and solutions manager, print and scan, at Brother UK. “Any cloud-based device is at risk, so endpoint security is essential,” he says. “This protects every device on the network with quality encryption, rather than focusing solely on smartphones, tablets, laptops and desktops.”
Businesses should keep an eye on their suppliers as well. Research by tax and consulting firm RSM this summer suggested that up to a fifth of cyber-incidents in the financial sector are caused by third-party failure, such as when suppliers fall victim and hackers use their systems as a bridge to access bigger targets.
“Cybercriminals are invariably after one thing – data,” says Ross Brewer, vice-president and managing director EMEA at LogRhythm. “The richest and most lucrative stores of data are found in the largest organisations. From third-party suppliers to white-label clients, each connection with another business is a potential point of weakness, and it’s something cybercriminals are more than willing to exploit.
“There’s no panacea for ensuring yours, and the networks of your suppliers, remain secure indefinitely. It’s a matter of continuous diligence and a meticulous process.”
The human factor remains the single most important part of fighting cybercrime, says Edward Whittingham, a former police officer and managing director of The Defence Works. “For too long there has been a focus on technology to stop cybercrime, but with over 90pc of incidents occurring due to human behaviour, training is absolutely crucial,” he says.
“Harvard Business Review recently described security awareness training as ‘the best cybersecurity investment a business can make’. Crucially, however, organisations need to not treat this as a tick-box exercise. It shouldn’t be seen as something to force upon employees but, instead, organisations need to set about building a security and data-aware culture through the business.”
This requires workers to use additional security measures beyond passwords (such as using an app to log in to webmail). It is a cheap, effective security fix.
Do not allow staff to install their own software on corporate machines. Limiting installations to administrators is one of the most effective ways to stop malware infections.
The government National Cyber Security Centre website has free, useful tips for small businesses, including setting passwords and how to resist phishing attacks.
Include cybersecurity awareness when new employees start. This can help to build a good corporate culture on security.
The Government’s Cyber Essentials offers basic training in how to defend against cyberattacks, and is used by thousands of businesses in the UK, including FTSE 100 companies.
Machine learning and artificial intelligence (AI) could revolutionise cybersecurity, picking out attacks before they happen by spotting “wrong” patterns.
New security services are increasingly being delivered as a service from the cloud, allowing rapid analysis of far more data.
Swedish biochip company Biohax has discussed implanting chips in employees as a security measure for workers. The chips cost £150 and are similar to those used for pets.
Taking basic steps, such as training employees, and “baking in” cybersecurity into the design of new software will help companies stay safe, says Prof Curran, but it is unlikely that cyberattacks will stop soon. “Most industries can do better than they are today, especially those that deal with trade secrets, personally identifiable information, finance and health data,” he says.
As long as businesses rely on technology, they may always face the threat of cyberattacks. What is important is that business leaders work strategically – making cybersecurity as core a part of their everyday operations as sales or finance.
Besides, even as hackers become smarter or stronger, technology will always provide new ways to fight back, according to Greg Day, vice-president and chief security officer, EMEA, at Palo Alto Networks. “We saw the American military’s Defense Advanced Research Projects Agency in 2016 run the first fully automated cyberattack challenge,” he says. “With highly automated adversaries, we need capabilities working at the same digital pace to defend.”
We may not beat cyberattackers for good – but business leaders can start to swing the balance back in their favour.
Connect With Us
With Artemis by your side, you're not just investing in IT and Telecom solutions – you're investing in a trusted partner dedicated to providing best value innovative voice and data solutions to add a measurable improvement to your business.
Book Your ConsultationOur Partners
© 2023 All rights reserved. Artemis Network Services Ltd.
SERVICES
OTHER LINKS
020 3326 5500
hello@artemis.uk.com
Artemis
Connect With Us
With Artemis by your side, you're not just investing in IT and Telecom solutions – you're investing in a trusted partner dedicated to providing best value innovative voice and data solutions to add a measurable improvement to your business.
BOOK YOUR CONSULTATIONSERVICES
OTHER LINKS
© 2023 All rights reserved. Artemis Network Services Ltd.
