Shake off the risk of cyber attacks

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scotsman.com/news/shake-off-the-risk-of-cyber-attacks-1-3732577

When Taylor Swift’s Twitter and Instagram accounts were hacked back in
January, the American singer took to social media to issue a
tongue-in-cheek response. Echoing the lyrics to her hit song Shake It Off,
Swift quipped: “Cause the hackers gonna hack, hack, hack, hack, hack…”

Not all online attacks illicit such a light-hearted reaction. Whether it’s
nude photographs being stolen from celebrity iCloud accounts or the theft
of credit card details from PlayStation users, cyber security is seldom far
from the headlines these days.

Such attacks can have very serious consequences, not just for the
individuals involved but also for the businesses that are targeted. Last
month, the Office of the Information Commissioner (ICO) – which acts in
Scotland as well as England and Wales on data protection matters – handed
down a £175,000 fine to an online holiday insurance company after hackers
accessed its customers’ records.

The fraudsters used the credit card details of more than 5,000 clients
following the attack, which could have been avoided if the company had
updated its database software on two separate occasions. The attack could
have been even worse; the hackers could have had access to more than
100,000 records on the system, which included the card code verification
(CCV) numbers printed on the back of credit cards – a piece of data that
the ICO said shouldn’t even have been stored at all. In this example, the
ICO found the company had no policies or procedures in place to review and
update information technology (IT) security systems, with some flaws being
left open for as long as five years.

Sadly, this isn’t an isolated case. A report published last week by the UK
government found 81 per cent of large companies and 60 per cent of small
businesses have been hit by a breach of their cyber security during the
past year.

Ministers estimate that cyber security breaches cost the UK economy
billions of pounds each year, with the average cost of attacks on small
businesses almost doubling between 2013 and 2014. With so much money at
stake, it’s no wonder that politicians are getting serious about the issue.

Cabinet Office minister Francis Maude has said he wants to cement the UK’s
position as the global centre for cyber risk management, building on the
strength of our country’s insurance sector. As part of a company’s broader
risk management, Maude’s measures include recommending cyber security
insurance to help firms deal with problems when they arise. His comments
won backing from a range of business leaders.

Responsibility for cyber security needs to go all the way to the top.
Surveys have revealed 52 per cent of chief executives think their companies
already have cyber security protection in place, but only 10 per cent of
businesses actually do hold such policies. About half of companies didn’t
even know cyber security insurance existed.

One of the recommendations from the UK government’s report was that a
member of each company’s board of directors should take responsibility for
cyber security. And it went further, suggesting businesses need to stop
thinking of online attacks as an IT issue but instead see them as a
commercial risk that will affect all parts of their operations.

As well as selling policies, the report recognised that insurers have a
role to play in spreading the word about the need for protection. Insurers
need to ask their clients the right questions about security, it said.

One step is for insurers to make sure companies – both large and small –
are signed up to the UK government’s Cyber Essentials scheme. Businesses
that want to win government contracts that involve handling personal
information and providing certain IT products and services have had to be
signed up to the programme for tenders issued since October. Now the UK
government wants to roll out the scheme even further by getting insurers to
ask their clients about their cyber risk management and spread the word
about best practice. Insurance brokers are agreeing to include Cyber
Essentials accreditation as part of their risk assessment for small
businesses in an effort to encourage greater adoption.

Insurance is no substitute for stopping cyber-attacks in the first place.
But, to quote Taylor Swift, if the hackers are going to “hack, hack, hack”
then at least having a policy in place will help to “shake it off” if the
worst should happen and a cyber-attacker breaks through a company’s
defences.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!