Companies ill-prepared for cyber attacks in 2016

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2016/01/07/companies-ill-prepared-for-cyber-attacks-in-2016/

2015 will be marked as the year when corporate cyber crime got serious.

Despite the fallout from the massive Sony hack at the end of 2014, the year
began with chief executives in the UK regarding cyber crime as the IT
department’s problem and ended with a series of highly publicised corporate
hacks leaving company heads looking like rabbits staring into the car
headlights.

In October, Dido Harding, chief executive of UK broadband and telecoms
supplier TalkTalk found herself trying to explain how her company had
allowed the confidential details of four million customers to be stolen.
After trying to pass the buck to the Metropolitan police for not advising
her to make the security breach public, in mid-December she conceded to a
Parliamentary Committee that cyber security was ultimately the
responsibility of the chief executive and the board.

Other highly publicised attacks during 2015 included the US-based dating
site Ashley Madison, which publicly exposed the private philanderings of
many of its members, a significant proportion of whom received blackmail
threats.

But these high-profile hacks are only the tip of  vast iceberg of corporate
cyber crime. For example, for nearly six months, a three-day cyber attack
on JD Wetherspoon went undetected. The names, personal information and some
credit card details of 656,723 customers fell into the hands of a Russian
hacking group and no one at the UK pub and hotel chain knew about it. They
eventually discovered the attack in late 2015 and the hospitality company
addressed the issue.

The customer data was stolen from the company’s website and patrons who
logged on to free WiFi at JD Wetherspoon pubs. The hack took place over
three days, but the mass of stolen data and the company’s inability to
protect information and notice it straight away, is one of many examples of
companies falling victim to an attack under a deluge of threats.

These cyber breaches and the companies’ concerned slow reactions to the
fallout from a high-profile hack reveal how unprepared most organisations
are for coping with the immediate aftermath. A recent study from the
Ponemon Institute revealed that 75 per cent of businesses are not prepared
for a cyber attack, while only 25 per cent believe they are cyber resilient
and 32 per cent think they could adequately recover from an attack.

Dealing with the bad publicity and reputational damage resulting from a
cyber breach is only one of the challenges a company that has suffered a
major breach exposing customer details faces. Once confidential data has
been stolen and put up for sale on the Dark Web, the company may find it
has a number of additional legal challenges to face. Part of the recovery
includes the lawsuits and consistently large victim payouts.

To cover these sums, companies rely on data privacy and cybersecurity
insurance. These policies can lighten the financial burden for a company
facing millions of dollars in settlements. Cyber insurance is, however,
still in its infancy. While cyber insurance may cover claims from
disgruntled customers whose details have been put up for sale, insurers in
the UK are generally reluctant to cover the kind of claim that might result
from a major cyber attack designed to siphon large sums from the company’s
bank accounts. The reason is that cyber coverage is a relatively new risk
for insurers to get to grips with and most feel that there is insufficient
actuarial information on which to base premiums.

There are endless tables and spreadsheets evaluating the risk of, for
instance, fire. But insurers are wary of open-ended policies that could
leave them liable for losses calculated in the billions. According to some
industry estimates, cyber crime worldwide is costing between $1 trillion
and $2 trillion dollars a year.

Companies should now take steps to prepare for a cyber security breach

But at whatever level companies may be insured, companies should now take
steps to prepare for a cyber security breach. For most companies this will
be a question of when and not if. All organisations should have an Incident
Response Plan (IRP) in place. This plan, just like a fire evacuation plan,
is preventative and precautionary.

It should be well-organised, thoughtful and run at least once a quarter as
a drill, just as a fire drill prepares people for the worst. Knowing the
exact steps of how to respond to a cyber attack will lessen its effects and
give any company peace of mind.

Staff must also be educated on the ever-present danger of a cyber security
breach. Many workers are still unaware of the dangers of cyber threats. In
a company like JD Wetherspoon, where the focus is on the physical business
of running pubs, restaurants and hotels, cyber threats are harder to catch.
Many smaller technology companies also struggle to keep up with potential
attacks as they focus primarily on business gains, letting cybersecurity
fall to the side.

In a changing digital landscape, that awareness needs to sharpen. Employees
should be vigilant of threats, know the warning signs, be digitally
educated and receive training on safe cyber practices. With even the most
basic training, the employees, who became victims and a gateway to hackers,
would have been more knowledgeable about what to be more attentive about
when using the computer. Training employees also alerts them to their own
personal cyber protection.

Expert cybersecurity vendors analyse a company’s weaknesses and fortify its
protections. Cyberint runs ‘cybersecurity posture checks’ on companies,
simulating real life, complex attack scenarios. While continuously
monitoring the companies’ online assets – web site, social media platforms,
their supply chain and more, in order to ascertain their weak spots open to
hackers.

Continuous checks ensure the hackers stay out and that changes within the
company, their employees and new systems used, don’t make them vulnerable
to hackers.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.