The current cyber security spotlight is firmly resting upon Yahoo, who disclosed on December 15th, 2016, that a hack, which occurred in August 2013, affected data associated with more than one billion accounts, making this one of the company’s largest breaches. The related data contains names, email addresses and other sensitive information, which could allow the attackers to do untold damage to the users, across other platforms that use similar details. Fundamentally, this latest hack proves that corporations need to make cyber security a priority.
The digitisation of professional services, the development of AI and the advent of the Internet of Things has catapulted technological innovation forward and resulted in information technology becoming an essential component of the global economy and the diffusion of emergency and strategic services. Every day, internet users around the globe create an estimated 2.5 quintillion bytes of data, with 90% of the world’s complete data being produced in the last two years.
Having access to this data presents one with a powerful tool. Unfortunately, with such interconnectedness and opportunity, hurdles and issues also grow like weeds in the flower bed, namely, cyber attacks. This topic has been brought to the forefront in recent times due to the European Union’s new regulation (EU General Data Protection Regulation) and complimentary directive (Network Information Security Directive ) on the matter, setting the European standard high and ensuring that there is a high common level of network and information security across the Union.
The Growing Concern
The increased use and integration of IT systems and networks in business and corporate entities brings both opportunity and danger. As more companies incorporate cloud-based systems into their infrastructure to move processes online, the threat of a cyber-security breach and the damage it can cause is increasing dramatically. Today, all companies are reliant on information technology to some degree. Due to this, companies need to make security a top priority since the threat of such a system being down directly injures the internal work of the company. To the contrary, many organisations rely on network infrastructures that are composed of older, outdated components which run the vulnerable software and thus lack cyber resilience.
When one considers the changing nature of security threats, from employees connecting personal devices to company networks to brute force attacks from hackers, the situation is further complicated, and thus the sophistication in risk identification and neutralisation has to change with it. While data can be lost or stolen through employees, either inadvertently or intentionally, the biggest attacks in the last five years have been as a result of hacking.
From February 4th, 2016, cyber-attacks on the central bank of Bangladesh have resulted in losses of $81m and the prevention another $850m in transactions from being processed. The Yahoo breach resulted in 500 million users having their data stolen. The scale and vitriolic nature of attacks are becoming more profound. Even with the well documented adverse effects of a hack, many companies do not have sufficient policies in place to protect against this threat nor do they possess an adequate response plan for an attack.
Attack And Defend
Fundamentally, companies have no control over the motivations or capabilities of their attackers, but they can make it harder to access information and their networks. Attackers include cyber criminals, hacktivists (who are politically motivated to cause damage), and even industry competitors and foreign intelligence services, attempting to gain economic advantage, uncover strategies or damage reputations.
The outcomes of an attack have different effects as well, ranging from data theft, data decay or damage (wiping files) and exploring and interrupting systems or services. The information collected can include any number of articles, for example concerning e-commerce platforms, security question answers, which are used by platforms to protect users when resetting passwords and authorising accounts. Such answers, including a mother’s maiden name, can be the same across multiple services and are used by a wide variety of other platforms including Apple’s iTunes and Amazon Prime, which can be exploited to access other data. While companies are becoming more sophisticated in encrypting moving data (that is, data transmitted between entities) data at rest is often left unsecured. This is therefore not unlike a criminal syndicate following a heavily secured truck to an unsecured warehouse where the cargo is unloaded.
Moreover, attackers can use ransomware to hold data hostage in return for a hefty buyout. Ransomware provides cyber attackers with an easy method to extract more money directly from users, and Cisco noted in their 2016 Annual Security Report that the use of such software is on the rise.
As mentioned, attackers can also damage systems and may seek to map a company’s network or establish a persistent presence. This can enable hackers to interrupt AI controlled systems or install software that harms individual processes by stalling, re-writing or destroying data. For example, if a hacker could access an automated manufacturing process, they could damage the company’s ability to produce goods.
At the lower end of the scale, attackers can also deny services, interrupt product use and stall consumers from using their purchased software, services or other items. An example of this type of attack is the Distributed Denial of Service (DDoS) attack. At their most basic level, DDoS attacks work by sending a high volume of data from different locations to a particular server or set of servers utilised by the company. As a result of the limited number of requests that the servers can handle, these attacks overwhelm the servers causing them to slow significantly or fail altogether, seizing up and subsequently denying the service to users.
While DDoS attacks are certainly nothing new, what makes these attacks so stark is the attackers’ exploitation of security weaknesses and vulnerabilities in thousands of devices to launch the attacks. Without addressing the vulnerabilities that exist in these systems, these types of widespread outages may be more common in the future, particularly as the devices become increasingly complex in their structure and how they interact.
Company Safeguards And Their Adequacy
Verizon’s 2015 Data Breach Investigations Report found that attacks are increasing in sophistication, with 70% of them using a combination of techniques. Furthermore, Egress Software Technologies in their 2016 Infosecurity Europe survey found that, of the organisations present at the event, two thirds admitted they could do more to protect data, with 61% admitting to suffering a security breach in the past year.
Comparably, the Experian Data Breach Resolution and Ponemon Institute Study (2016) found that 60% of companies surveyed found employees to be lacking critical knowledge and that workshops designed to combat this deficiency are currently inadequate. Contemporary business practice in regards to cyber security appears to be lacking, with companies relying on simple employee education and “one size fits all” security technologies.
Moreover, there is a mismatch between board priorities and data breach realities, with the study finding that only 35% of respondents believe that senior management holds cyber security as a priority. Simply put, this demonstrates a clear gap between the business approach and the awareness of the looming threat created by ever-increasing interconnectedness on the cloud. As such, it can be seen that companies either appear unconcerned by the threat or demonstrably lack the fair priority setting to protect users’ data.
Companies are not prioritising data security, and this is costly for several reasons. A data breach is a public relations disaster because it can lead to customers and clients severing their connection to the company out of fear that their interaction can impact the other areas of their lives. A brand’s reputation also has an impact on attracting the best talent, the best suppliers and creating better opportunities for developing relations with partners.
Moreover, Semafone, a UK-based fraud prevention company, found that businesses are less likely to trade or conduct deals with firms that have been breached, particularly if the breach included sensitive data. Thus the breach can translate directly into financial losses for the enterprise.
This can be further seen if the attack causes a disruption to service capability. For example, if systems require repair and evaluation, this creates a period of downtime where the company is not operating optimally, and this causes a knock on effect for profits, and thus investors and shareholders.
Furthermore, according to Cisco’s 2015 Security Capabilities Benchmark Study, security executives showed lower confidence in their security tools and processes than they did in 2014. In 2015, 59% of organisations said their security infrastructure was “very up to date,” yet this figure stood at 64% in 2014. These growing concerns about security could act as a motivator for executive level management to begin to implement stronger security strategies, from improving internal infrastructure to removing software with known vulnerabilities.
One could argue that this is an issue to be solved by the markets. The firms and companies that possess lower security standards and thus receive attacks would suffer detrimental financial loss, from investors and consumers, and irreparable brand damage, from reputational decay and weak consumer confidence. Additionally, the legal penalties and sanctions would further affect company performance and force directors and managing executives to consider new cyber initiatives. This includes where operations are disrupted, consequently causing businesses to fail in their obligations to customers, resulting in class action suits from consumers and even shareholders.
One can see an example of the market hitting back at high-profile attacks with TalkTalk. Due to the assault, the company lost 101,000 customers and £60m in investments as well as becoming the subject of a Parliamentary inquiry. Furthermore, TalkTalk’s shares have never returned to pre-attack levels.
As a result of the cyber-attacks, firms would have to continually update their security measures and test their defences using cyber-simulations and controlled attacks as a way to immunise themselves from danger. Thus, to stay competitive, firms have to keep abreast of cutting edge cyber-security measures and technologies. At the moment, it appears that a breach, unless it categorically challenges the fundamental operation of a company, is recoverable and, as a consequence, Sean Mason, director of threat management at Cisco security services, identifies that having a quick response to breaches and facilitating a fast recovery can minimise this damage and eventually contribute to stock recovery.
However, only leaving the security of users’ data to a Darwinian economic approach is not sufficient. Michael Bruemmer, an Experian Data Breach Resolution Vicepresident, believes that companies need to shift to “a culture of security,” and that more must be done to minimise negligence from employees, including mandatory workshops of password setting, device safety and browsing habits. By reducing the risk of an internal issue, companies can pour more resources into bolstering external defences. It is clear that cyber security needs to be a priority.
Moreover, LogRhythm, a security intelligence company, points out the growing trend of sophisticated hackers and that focus must shift to a security culture, both in making it difficult to breach a business’s safety and restricting what hackers can do when they have access. Even with the calls from security companies to focus on defences, businesses are still unconcerned with the damage that can be caused, as highlighted by the lack of senior management awareness above and the high-level attacks against companies like Target and Sony Picture Entertainment.
A key tool in combatting cyber-attacks is ensuring that a company’s cyber infrastructure is secure. Thus, it is necessary to regulate the minimum commitment to securing their networks to both protect themselves, other entities and their clients. Fundamentally, therefore, the law presents a powerful opportunity to set high standards and diminish the scope of power available to attackers. Certainly, the law will heed to technological advancements in the future but, through having a standard of cyber security that firms must adhere to, one can significantly reduce the risk of successful hacks.
Thus, one can argue that the law performs two vital roles: enhancing cyber security preparedness and protecting consumers.
First, by having a common, minimum and mandatory standard of security, companies within the same jurisdictions can present a unified defence against potential attacks. This helps facilitate trust and business relationships since companies understand that the other side is also protecting their data. This is particularly important in mergers and acquisitions, since when one company purchases another, not only are they buying their data, they are also burdening themselves with any security issues the target company possesses. By having a common standard, regulated by strict laws, the security question, while still important, is somewhat alleviated when weighing up the situation in purchasing another corporate entity. This point is certainly poignant in light of Verizon’s talks to purchase Yahoo’s digital assets, especially in the wake of the announcement that Yahoo has suffered two major security breaches.
Further, through having a common standard, firms can focus on improving their cyber security and moving forward, rather than worrying about the weak infrastructures of their ‘neighbours.’ Additionally, from an international perspective, all economies and nations possess their idiosyncratic traits, but cyber attacks are ubiquitous. From this, it can be argued that an international legal standard is useful in breaking down the barriers between nations and facilitating a united front. With globalisation and greater interconnectedness between nations, a common dialogue of information technology standards and security measures could further enhance efforts to reduce cyber crime.
Secondly, by implementing mandatory standards and further regulations (such as a mandatory disclosure of breaches), the law can help protect those who are impacted the most by cyber attacks, yet who would otherwise not be in a position to defend themselves. Whether these are users (for example, Yahoo email account holders) or clients (for example sovereign nations seeking advice from a law firm), data breaches present a real risk to the continuing safety of those concerned. As aforementioned, stolen information can contribute to identity theft, financial loss and damage and potentially significant harm to reputations or even emergency systems (such as stolen hospital records).
The law can enforce protection by requiring firms to report breaches, enabling the relevant government authorities to take action to strengthen security, empower individuals to mitigate harm as well as encouraging organisations to adopt effective security measures and protect internal systems.
Europe – Looking To The Future
One can see that the European Union is moving to bolster user protection by introducing mandatory minimums and increasing accountability and responsibility.
The EU General Data Protection Regulation aims to reflect the exponential growth of personal data processing as the internet services continue to develop. Further, the regulation aims to put individuals in control of their data, instating strict conditions over consent for data to be captured and stored. This creates new obligations in areas such as data anonymisation, compulsory breach notifications and the appointment of Data Protection Officers, requiring organisations handling EU citizens’ data to make major changes in the way they operate. Comparatively, companies wanting to conduct business in Europe, either directly themselves or indirectly through a European subsidiary, will have to comply with certain standards. Thus this regulation has the potential to reach beyond the member states.
On the penalty issue, this regulation includes the appointment of dedicated Data Protection Officers within companies and the requirement to notify relevant authorities of a breach within 72 hours of becoming aware of it. Furthermore, non-compliance with the regulation could cost up to 4% of a company’s annual turnover or €20m, whichever is higher. As such, this figure is both eye-watering and attention-grabbing and is certain not to go unnoticed with executive level decision makers.
Take for example the situation of TalkTalk, which expected a fine of just £500,000 after their recent security breach. If the breach had occurred when the regulation was active, the relevant authorities would have had the power to fine the entity a total of £36.5m. What’s more, the strength and standard setting of this regulation have meant that, even with Brexit, the UK’s ICO points towards expectations of legislation in the UK to match its European siblings. This will undoubtedly bring the cybersecurity topic to the discussion table in board meetings and management hearings in the coming months.
Recently, however, the GDPR received a complimentary directive. On May 17th, 2016, the EU Council officially adopted the first EU-wide legislation on cyber security – the Network Information Security Directive. The directive complements the GDPR by imposing obligations on businesses that act as operators of essential services in high-risk sectors such as energy and finance, requiring them to take measures to minimise their cyber risk, and to report certain cyber incidents.
The greater oversight and reporting required by the directive will help facilitate a gradual move towards compliance by compelling companies to review their contemporary systems and identify key weaknesses and opportunities for development. Furthermore, the directive imposes obligations on digital service providers, “including all operators of e-commerce platforms, search engines and cloud computing services,” to increase the security of their users’ data.
With that said, qualifying businesses that are identified as operators of essential services must take “appropriate and proportionate technical and organisational measures” to minimise the impact of cyber security incidents and to ensure continuity of their services. It is up to the national regulatory authorities to determine the exact nature of the measures to be taken, but it would not be wrong to estimate measures may include taking steps to secure a company’s infrastructure, such as ensuring that the appropriate corporate governance and compliance procedures are in place.
Primarily, preparing a company for compliance with the new regulation must start from the ground up. By ensuring that all employees who use the company’s infrastructure are aware of the implications of a cyber security attack. This includes the relevant training on connecting personal devices to the network and email security, enabling a more proactive approach to cyber security. Fundamentally, the internal processes, such as an employee or the network, are the first defence. Whether it is compliance or risk reduction, the individuals that build the foundations of a company must be secure.
A further issue is understanding the nature of the company’s data usage. Since some attackers are looking to abuse a company’s data, understanding the use of the data, where it is going and what data a company has is vital to combatting attacks. The regulation highlights a risk-based approach, making it imperative that companies implement secure procedures for data storage and transfers, as well as controls to protect sensitive information. Breaches that affect compliance will incur hefty penalties, both financially and for one’s reputation.
While some may see the review process and compliance as a burden, both temporarily and financially, it should be seen as business enabling, “allowing an organisation to do business in new markets and promote its compliance and strong security controls as a differentiator.” What’s more, strong compliance practices will instil faith in clients and future business partners since they know their data is well-protected.
China And Cyber Security
The danger of poor cyber security is not merely limited to Europe. China currently holds the title for the world’s largest digital shopping, mobile payments and internet-enabled financial services market. It is estimated that more than 700 million Chinese people have access to the internet and around 400 million of these consumers are conducting the majority of their payments using smartphones.
The country’s overall reliance on information technology is a market worth more than $300bn. Despite this vast and impressive online infrastructure, the Booz Allen Cyber Power Index 2014 placed China in thirteenth place regarding their 2015 global cyber power ranking, while the US and Germany rank second and fourth, respectively. The lower ranking can be attributed to the different reasons and objectives that China has deployed when tackling the cybersecurity question. Unlike its Western counterparts, who focus on risk-based, consumer protective approaches by ensuring that there are stiff regulations in place to punish breaches and facilitate standard setting, China applies tight controls over its domestic internet in order to advance its economic, political, and military interests. By having such tightly wound motives in internet control, the approach to what is required shifts from protecting consumers’ data to preventing attacks that threatened party objectives. Fundamentally, therefore, there is a different cyber-philosophy at play.
Simply put, China’s goal in using the law as a cyber regulatory tool is attached to its using the internet as a means to build up a domestic information economy and secure network infrastructure that directly benefits national economic development and political stability. From this, one can see that international objectives such as a common standard, are immaterial to the task at hand. For China, protecting domestic structures is at the heart of cyber law reform. One can see such a move in the latest pronunciation of legislation aimed at spearheading vulnerabilities in cyber security, namely the Cyber Security Law of the People’s Republic of China (2016).
The new law will require domestic and international software companies, network-equipment makers and other technology suppliers to disclose their proprietary source code – the core component and intellectual property running their software – in order to prove that their products cannot be compromised by hackers. Secondly, the government wants firms which operate in “critical” areas to store any personal information or important data that they gather in China, within China’s borders.
On a fundamental level, the law’s definition of ‘critical’ is rather vague and expansive, but it is clear that it would apply to commonly accepted areas such as ICT services, energy, transport, water resources and finance. The latter of these new requirements can be seen as rather strenuous on smaller companies, particularly those in the social media sphere. The longer the company operates, the more data that it will collect from within China, thus more storage space will be required, with further expenses to acquire this storage in China.
The initial reception of these regulations was negative, especially from multinational corporations like Microsoft and Apple, which typically rely on cross-border flows of business data. This is compounded by the worry that the law will not only require additional expenses in regards to new investments but additionally increase the risk of data theft. Further, companies will be required to obtain security certifications for important network equipment and software.
Foreign firms expressed a fear that this might be used to pressure them into turning over security keys and other patented software to the state which would then be disseminated to state-owned rivals. This would hit Western firms the hardest, potentially even barring them from China’s still growing market. Such a worry was highlighted by Michael Clauss, Germany’s ambassador to China, who expressed that the new “security rules might be used to pursue other aims” including industrial policies favouring Chinese companies.
From a cyber security perspective, China appears to have adopted a shelter mentality, concerned more with domestic protectionism than actively reassuring cyber defences and rooting out cyber criminals, a position that lends itself poorly to cross-border cooperative security operations and efforts, weakening China’s ability to defend itself in the long-run.
Ultimately, China’s regulations and cyber security due diligence appear quite distinct when compared to the European Union, both as a result of the domestic objectives that China is attempting to achieve as well as the economic endeavours which underline the movements, demonstrating the difficulty of crafting a global norm in this space. Within this diametric position between cyber security practices, one can see that merely complying with the legal regulations that govern a company’s activities is not enough; firms must constantly be adapting and innovating to stay at the cutting edge of cyber-defence.
Currently, companies appear unaware of the growing trend in both the scale and sophistication of cyber security threats, and this is worrying. While cyber threats are a part of the new world, more can be done to protect data and make it difficult for parties to steal or damage such data. With newer legislation pushing for greater protection, priorities may begin to shift, particularly in light of the non-compliance penalties.
While merely complying may not be the best strategy for protecting data from increasing attacks, it does ensure that, that there is a minimum standard to be met, at least decreasing the likelihood of a successful breach. Fundamentally, the law is a powerful tool to assist with setting a high standard in data protection, providing a degree of security alongside flexibility for firms to approach their policies in a business manner.
Cyber-attacks will only increase as the world becomes increasingly connected. Thus it is up to the leaders of corporations, business, companies and organisations to be ahead of the curve in the fight against cyber-crime.
Have We Forgotten Atticus Finch?
Hundreds of years of criminal law were spent developing a measured system to identify guilt – and to ensure that...
Australia Embraces Cryptocurrencies and Blockchain
The rise of bitcoin and similar cryptocurrencies is creating a revolution in financial markets all across the globe. It has...
The London Startup Scene: How Can It Rival Silicon Valley?
Much to the frustration of former prime minister David Cameron and chancellor George Osborne, the UK is yet to produce...
Deutsche Bank Mistakenly Wired a $35bn Payment
Germany’s largest bank has admitted to an embarrassing mistake. While the candour should be appreciated, it is still alarming that...