- Security TWENTY
- Women in Security Awards
Cyber-security professionals must rethink their strategy of beating cyber-attacks, writes Alan Platt, pictured, COO, of cloud security product company CyberHive.
A recent survey by the Bank of England revealed that cyber-attacks were the joint second most cited risk to the stability of the UK financial system. The proportion of respondents that named cyber-attacks increased for the third consecutive survey to a new record high of 62 per cent – an increase of five per cent. Furthermore, an increase of five per cent listed cyber-attack as the risk most challenging to manage, according to Bank of England – Systemic Risk Survey Results – 2018 H1¹.
Against this background of increased threats to cybersecurity, and continually strengthening legislation concerning data security, it is no surprise that IT security has become a high priority for organisations. Cyber threats have evolved to become more sophisticated, often originating from well-organised groups – state-sponsored or criminal networks – who target businesses or individuals connected to businesses for valuable information.
IT professionals in financial services often envisage their role in cyber-security as fortifying the defences against external attacks. The reality, though, is very different. Most cyber-attacks originate from human errors within an organisation, such as an employee opening a malware-laden phishing email, or as the result of some deceptive social engineering on the part of the attacker to infiltrate malicious code inside the defences. Most standard cyber-defences, such as firewalls and penetration testing, serve to secure the systems from external attack. Anti-virus is used by most companies, but its effectiveness is minimal in the defence against the increasingly sophisticated and bespoke cyber-attacks that can go undetected for several months.
Security professionals need to change their mindset to counter these disastrous attacks. They need to carefully explore the options that can safeguard a company from damage caused by human error. They must be mindful of the reality that mistakes can – and will happen. It is not a case of “if” a data breach will occur, but “when”. Companies would be well advised to shift the emphasis from defending against known external threats and instead focus on identifying attacks as quickly as possible once they happen – and taking swift action to foil them before they wreak havoc.
This need to act quickly to limit damage is borne out by key findings in a study published last year by IBM security and Ponemon Institute. In the 2017 Cost of Data Breach Study: United Kingdom² the Mean Time to Identify (MTTI) and Mean Time to Contain (MTTC) metrics were used to assess the effectiveness of an organisation’s incident response and containment processes. It took an average of 168 days to identify a data breach and 67 days to contain it. The previous year’s MTTI and MTTC figures were 178 and 72 days respectively.
Incident response plans
The findings also emphasise the importance of being able to rapidly detect and contain an attack. New technologies are emerging that focus on detecting malware before it can do any damage. If the MTTI was less than 100 days, the average cost to identify the data breach was £1.98 million. However, if the MTTI was greater than 100 days, the average cost rose significantly to £2.97 million. If this MTTI were reduced to a few days, the costs of a cyber breach could be massively reduced.
Similarly, the study highlights the need to have an effective incident response plan in place. If the time it took to contain the breach was less than 30 days, the cost to contain the breach was £2.24 million. If it took 30 days or longer to contain the breach, the cost soared to £2.71 million. The longer it takes to detect, respond and contain a breach must become a critical priority for every CISO and board.The rising costs of data breaches are extremely detrimental and only set to increase with GDPR legislation in place, let alone the reputational damage that can be suffered as customers begin to lose trust in a firm that can’t protect their assets. Cyber-crime is recognised as a serious threat in the financial services industry and the UK Financial Conduct Authority (FCA) warns that firms should be vigilant to this threat, able to defend themselves effectively, and respond proportionately to cyber events.
Perils of bad data management
One of the chief threats to the sector comes from poor approaches to data management in notoriously disjoined IT systems or inadequately managing their defences when outsourcing data storage. The importance of the guidance given by the FCA can easily be seen in perspective when we consider the disastrous impact of recent cyber-attacks at large well-known companies.
In June the data breach at Dixons Carphone served as a serious wake-up call to improve cyber security across the world for organisations holding data on EU citizens. The reality is that Dixons Carphone showed it was unable to secure the card details of 5.9 million customers, who became victims of “unauthorised access”. The breach, which also involved the personal data of 1.2 million customers, was serious enough for cybersecurity chiefs at GCHQ to launch an investigation.
An Equifax security breach revealed last October is understood to have affected around 700,000 UK-based customers and many more in the US. Stolen information included email addresses, passwords, usernames and partial card details linked to membership data, as well as driving licence and phone numbers. Financial organisations must assume they are going to be breached, they are being targeted on a daily basis and the sophistication levels of hackers continues to rise. It’s absolutely critical that banks and financial service businesses know about the breach in a matter of minutes or hours, not days. They can then mitigate the risk and avoid further damage to their systems or avoid data loss.
² 2017 Cost of Data Breach Study: United Kingdom by IBM Security and Ponemon Institute (June 2017).