“There are only two types of companies: Those that have been hacked and those that will be hacked.”

This phrase used to be said by the FBI but has changed recently to

 “There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.”

The basic message is that no business is immune to cyber-attacks and that knowing whether or not you have been hacked can be difficult to figure out.  On average it takes 120 days for a company to realise it has been hacked. [www.pensar.co.uk]

 

The Problem

The traditional approach of trying to create an impenetrable barrier to prevent hackers accessing your business systems is no longer sufficient.  Hackers are increasingly using human vulnerabilities to breach systems and most large and small companies do not have the systems in place to recognise when a cyber-attack has taken place or the plans in place to deal with hackers stealing confidential data.

This has got to change.

The Questions

Your business must address the following questions:-

1.       What information is in your computer systems that hackers could want for any reason?

2.       How could this information be stolen?

3.       What impact could there be on the company if confidential information gets in to the hands of hackers and scammers.

4.       Do you have systems that can recognise if an attack has taken place?

5.       Do you have company plans set-up to deal with the various attacks that can happen and subsequent consequential effects on customers, suppliers and staff?

 You should treat these questions and their answers as part of your business risk analysis and catastrophe planning.   

The Impact on Business

Sony had 47,000 records stolen that included employee details of employment, health and emails. Sony’s initial costs were over $100m (reduced to $15m after insurance payout), but there was a significant negative impact on sales and customer turnover.

At EBay, hackers took customer personal information affecting 145m active users. The total cost to EBay was $145m.

Target was a very serious case where hackers stole credit card details. The credit card issuers had to reissue credit cards costing $252m (before insurance payouts).  The CIO, CISO, and CEO all lost their jobs. Seven Directors were also threatened with job loss but managed to convince the shareholders to back them.

IBM’s Cost of Data Breach Study 2017 shows it costs companies an average of $141 per record stolen that contains sensitive or confidential information.

As many data breaches cover millions of records this can mean huge costs.

In many cases of a data breach, the company did not know about it until the hackers carried out some kind of fraud using the data. This may be months or even years after the breach occurred.

Clearly if a company has to be told by its customers that their credit cards for example are being charged illegally (as a result of a breach) – that’s likely to lead to dreadful publicity and major customer problems.

The UK communications company TalkTalk had a serious data breach which led to over 100,000 customers leaving the provider. The damage to Talk Talk’s reputation was immense.

Research shows that companies suffer a higher churn rate, increased customer acquisition costs, reputation losses and diminished goodwill due to an information security breach.

 An information security breach will rob a company of its good name, customers, increase new customer acquisition costs and decrease opportunities.

Statistics

The UK government undertake an Information Security Breach Survey each year.

Security breach in this case means virus/malware/ransomware attacks of any kind or attempted impersonation of staff or external bodies or any instance where confidential data becomes available to unauthorised people.

The 2016 survey shows:-

·         65% of large firms detected a cyber breach or attack in the last year

·         25% of those large firms experience a cyber breach at least once a month

·         Only 13% of businesses set cyber security standards for their suppliers

·         Most businesses do not have cyber security policies, and significant minorities do not implement basic security controls or user-access controls on their devices

·         Currently most cyber security breaches are not reported at all

Overall, the statistics suggest that many large and medium businesses need to invest significantly more in cyber security and not under-estimate the cost and potential damage that can be caused by cyber-attacks.

For small businesses this is often very much more difficult due to a lack of cyber expertise and the urgency of doing business.

 Many hackers run automated processes that check website vulnerabilities. So it is important to make sure there are no known weaknesses in cyber security for any length of time.

Signs of a Cyber Attack

Sometimes, it is very obvious that there has been an attack, but quite often the hackers hide their activities and leave little trace, In fact, businesses often only know they have been hacked when the criminals start to use the data they stole or if they try to ransom it back to the company.

Listed below are signs that indicate further investigation is warranted:-

         a series of rejected logins on the same account

         New Ports Open on the firewall or any unauthorised changes

         Unexpected  Firewall Log entries

         Disabled Anti-Virus

         Inability to install patches on any machines

         Heavy Network Traffic from a workstation, significantly larger than other workstations

         Unexpected  new devices on the network

         New Users created with Admin Privileges

Cyber security is very important and all businesses must ensure they have sufficient defences in place. But they must also plan for attacks and what do when those attacks succeed. The better the planning then likely the better the company response and hence reduces costs and reduced damage to reputation.

 

Do you have an opinion on this matter? Please comment in the box below.