Businesses under attack
The Government’s Cyber Security Breaches Survey 2021 found that 39 per cent of businesses were subjected to a cyber attack or breach in a 12-month period and 21 per cent lost money, data or other assets. The average cost of cyber security breaches was estimated to be £8,460; for medium and large firms the average cost was higher, at £13,400.
Dai Davis, solicitor and partner at IT law specialists Percy Crow Davis & Co, says the Wikipedia definition of a cyber-attack – any attempt to expose, alter, disable, destroy, steal or gain information through unauthorised access to or make unauthorised use of… a computer information system, computer infrastructure, computer network, or personal computer device – matches the broad definition of an offence under section 1 of the Computer Misuse Act 1990. “This criminalises any action that causes a computer to perform any function with intent to secure access to any programme or data held in any computer where that access is unauthorised,” he says.
Roy Isbell, a cyber security specialist and advisor to the UK Forensic Science Regulator, agrees. He defines a cyber-attack as “fundamentally the interaction of a threat actor with a particular system with the intention of achieving a particular outcome.”
As to where threats originate, Mr Davis says some are performed by ‘script kiddies’ who try to hack into a system for fun. “For the criminally minded,” he says, “making money is the goal and they’ll attack anything where it pays them to do so.” At the extreme, states such as China, Russia and North Korea attack companies to steal technology, he adds.
A changed landscape
Mr Isbell says Covid has altered the landscape. “We now have a more distributed business model with working from home, often on shared networks with only limited security,” he says. Newsworthy topics may also be used to persuade people to click on links that take them to compromised websites.
No system is perfect, but, says Mr Davis: “The amount of effort it takes to breach a system is proportional to the amount of effort taken to secure the site in the first place.”
Mr Isbell adds: “A security breach is not a single event or tool, but a combination of knowledge, skills and intelligence used in sequence to achieve the outcome the threat actor wants.” He emphasises that cyber security is about managing risk. “This requires spending time evaluating and understanding the cyber environment and what it is we need to protect; it is not always the data that requires protection, but the systems themselves, especially where the system is deemed critical.”
Firms that had a robust incident response plan... recovered faster and minimised the overall impact on the business
There seems no easy way to counter cyber threats. Apart from your own systems, Mr Isbell would look at the supply chain, “especially where processes may share data between firms.” For him, “an understanding of the firm’s cyber ecosystem is essential… not just a focus on the data residing on its IT systems.”
Mr Davis cautions against placing too much reliance on specific security products, “many of which are good, but which solve only the security issue the particular vendor advertises.” Staff training is something to consider, but Mr Davis says it needs to be regular. “There is little point in training only during induction week… staff may be sent a malicious email at any time.”
Mr Isbell values training too. “The most efficient and well understood security environments I have witnessed are ones where the company has worked to develop security as part of the culture of the organisation,” he says.
Placing a header on every email warning that it may be malicious if from an external source is an option, but Mr Davis thinks “it is likely to be ignored as the staff member may be anxious to read the email, not the header.”
Mr Isbell recommends including cyber security breaches in business continuity disaster recovery planning. “Firms that had a robust incident response plan have not only been able to recover but recovered faster and minimised the overall impact on the business,” he says.
Those that do nothing risk legal fallout. Mr Davis says the probability of a fine under the civil part of the General Data Protection Regulation is tiny, but the risk of criminal sanction is not. “Criminals, like regulators, have limited budgets and look for low hanging fruit,” he says. “If you can make your business more secure than your competitor’s, it will be enough to persuade some criminals to look elsewhere for a softer target.”
Beyond that, Mr Isbell says that apart from implementing security, businesses should have some form of monitoring. “If none is implemented, the firm will not know it has been breached until the breach is made public,” he says. This then begs the question: “Who would trust an organisation that does not take security seriously?”