Risks of being unprepared for a cyber attack
Experts in cyber security across have highlighted the potential risks a data breach caused by a cyber attack to a business, including costly business down time, fines from the Information Commissioners Office (ICO) and reputational damage.
The panel discussed the issues at TheBusinessDesk.com’s Cyber Security seminar, sponsored by CMS and Cloud Kickers, held at the Crowne Plaza in Leeds. They also talked about top tips on ensuring cyber security and addressing skills shortages in the sector, which were reported yesterday.
Simon Kenworthy, founder and CTO at Cloud Kickers, said it was essential for all businesses be prepared and have the right advice at their disposal.
He said a huge amount of business down time could be triggered if a business was unprepared for a cyber attack. Kenworthy said a growing business he knew of was attacked and that it took the business offline for a week, resulting “in a loss of thousands of pounds.”
Chris Wilson, senior associate at CMS, explained that regulatory fines for data breaches could be up to €20m or 4% turnover; whichever higher and depending on breach. Wilson said that “record fines” would become normal as a simply higher level of fine was being allowed.
He asked the audience of more than 80 delegates “could you afford a hit of up to 4% on your turnover?”
Commenting on damage to reputation, Wilson added: “More generally, do you want to be perceived as a company that protects personal data? Uber
covered up hack of their system affecting 157m users, paid off hacker, received an enhanced fine for not reporting and did not do anything to improve its reputation.
“It is not whether you suffer a data breach, but when you do. Then, how will it be reported in the tabloid or industry press? How will you be able to reassure your customers, clients, supply chain? Can you retain trust that you are a company that can keep personal data safe, who will do the right thing?”
Wilson said that aside from time resources and the cost of dealing with a breach, it could have a direct effect on the operation of a business. He concluded: “A good response is the difference between a business critical fine and good PR exercise.”
Amy De-Balsi, Head of Partnerships and Innovation at Bruntowdd, runs the tech-hub at Platform in Leeds, where 85 tech start-ups are based. She said the business had needed to adapt to the cyber risks and put in place necessary steps; and it would be a risk if these weren’t implemented.
She said: “”The property world has changed and we have had to change our products. Housing 85 businesses means that we have to provide networks for them – they are all coding and uploading code onto the internet and, not only do we have to provide safe and fast internet but we have to provide very secure internet for them.
“We don’t want, as a property developer, to enable the businesses in our buildings to be breached.”
Ian Mann, CEO of cyber security firm ECSC, added a common risk was ransomware and costs associated to it. He said as often a business is hacked over many months there was no way of detecting a breach until the ransomware is installed on the system and a breach then comes to light.
Mann said that hackers were now checking out a firm’s ability to pay and quoting a price to return the data it has hacked – he knew of a recent example where a firm had been asked for $17.1m. He added: “If you go back two years ago, it was rare to get anything more than $10,000.”
Michael Lea-Smith, fraud specialist at CYBG, concluded: “Anybody can be deceived and inbox and email compromises with follow-up instructions are by far the most common type of fraud we see targeting businesses and individuals.”
Mann said one of the biggest risks was presented by passwords and data being stored outside of a businesses’ firewall – such as Office 365. He said this sometimes allowed hackers to gain an executive’s contact details, demand money and the issue “propagates from there.” He said this accounted for about 70% of breaches ECSC sees.
An overview of a legal response to a data breach
Amit Tyagi, senior associate at CMS, said data breach responses needed to be a team effort between the business, the technical experts and the internal teams.
He said: “If your customers have been without the service that you provide for a week, they are going to complain and make claims against you and you are going to have reimburse them for the losses they have suffered; or at least try and defend those claims. You also need to report it to the regulator.
“Although these things happen very quickly, 72 hours is the guidance that the ICO gives you to report something which constitutes a data breach. It’s a massive cliche but 72 hours is actually an awful long time. Sometimes that is the time needed to get the necessary things done.
“If you have co-ordinated your response to the breach correctly, if you kept a careful audit log of all the decisions you took during that period, then it;s difficult for the ICO or individuals to criticise you for the decisions you made when you made them in the best informed way that you could at the time and carefully documented that.
“It’s never going to be perfect. All you can do is mitigate the risk in the long term and use professional advisers to help you do that. Be prepared – when something goes wrong then engage the right people. Make sure you have someone in the business at board level or sufficient decision making level to sign off on the decisions you make during that critical time period.”
Tyagi said it was essential for firms to look at prevention and also having the right level of support around, including cyber insurance. He said CMS had done a lot of work for insurers co-ordinating breaches on behalf of a clients – including PR handling to ensure reputation is also upheld and issues mitigated.
“It means that if something does goes wrong, and there are claims made against you, then you are protected. All of those IT forensic reports that are created about the cause of the incident are actually protected by privilege and can’t be ‘got at’ by the various claimants,” he explained.
‘Building a defensible position’
The panel discussed what happened when breaches were found. Ian Mann, CEO of cyber security firm ECSC, said: “We find the ICO to be reasonable to lenient. We have had plenty of cases where we thought clients should get a fine, and they haven’t. And when any of our clients have got a fine, they have always thought ‘yes, we deserve it.'”
He said that there were two things businesses could do in preparing for a breach. Firstly, to stop the breaches because they are all preventable. Mann added: “But also build a defensible position. That’s where having the standards in place can really help.
“When we put a case to the ICO, we want to be in a position whereby the organisation did all the right things, behaved reasonably and tried to prevent this; but ultimately somebody made a mistake. ”
Cyber cautiousness restricting business activities?
Michael Lea-Smith, fraud specialist at CYBG, said he had come across a business that had withdrawn their website “because they could not defend it” which was inhibiting their ability to carry out business duties. “That was critical – because I don’t see how that business could sustain what they were doing. I advised them they had to find a way to get their presence back online and protect the systems,” he added.
Melanie Oldham, chair of the Yorkshire Cyber Security Cluster and founder of Bob’s Business, said that often information security “overkill” was seen in businesses putting too much technical aspects and jargon in policy documentation, which could be restricting how they conduct business.
She said it meant to much information could be put in documents for the end user to be able to make use of in their work. “People often feel they are saturated or are getting too much compliance training” if their education around the topic wasn’t relevant to their role.
De-Balsi said that when systems had been too “over-engineered” staff had resorted to putting data in a spreadsheet. “That just opens up a whole new level of where data is stored. That just means the CRM, system isn’t working for you – so you need to design something that is right, and provides the right storage for information that works for people,” she said
Kenworthy added: “Solutions need to reach further out. People are going to conduct their work from home, on the bus, on lots of different applications and devices.
“Data is being spread out everywhere in the solutions we are given. Those solutions are constrained. It’s changing and it’s in the hands of IT systems, individuals, corporations, suppliers – all of those parties are having a really tough time with this. I see the problem getting bigger and the data being spread is already out. It doesn’t take much for a data scientist to add all of that together and cause significant harm; he has gone that.”
However, Mann said he had never come across a business that had put so many security restrictions in place that it had stopped them being able to carry out their duties. “We do see the other extreme, though, where businesses ignore cyber security. If we get to a position where businesses are doing too much cyber security, we are probably in the right direction. I just don’t see that.”
A second Cyber Security seminar will take place this week. Places are free to the event, which will be held on Thursday in Manchester. Further details available online.