A Defining Year for Cyber Risk

Last year was a defining year for cyber risk! There were many events that contributed towards shaping cyber risk however there are a number of stand out “Influencers” that impacted on businesses during the year and will continue to do so in the future. This raised the awareness of cyber risk in the UK and within the business community as a whole.

Such “Influencers” that had a bearing on cyber risk:-

1.The Threats

Ransomware 

Ransomware is a form of malicious software that a hacker uses to encrypt the hardware of a computer, the hacker then extorts money normally in the form of bitcoins in exchange for the decryption code.

This form of cyber attack is now the most common in the UK with 54% of SME’s experiencing a ransomware attack. Surprisingly this is higher than in the US which is at 47%.

The impact is loss of income as a result of paying the ransom, loss of files, time spent by the business on remediation, downtime and the possible loss of life. There is no sign of abatement of this form of cyber attack.

Phishing

Phishing is recognized as a method utilized by hackers to gain access to personal or business details in order too commit a crime. This is normally an act of fraud or used to cause disruption to a computer system. It can involve the sending of a bogus invoice sent by e-mail requesting the payment of money to hackers bank account.

The UK is one of the most targeted countries for phishing scams.

The Internet of Things (IOT)

The Internet of Things is the internet working through “connected devices”, “smart devices” including buildings via embedded electronics, software or sensors. This then enables these objects to collect and exchange data.

When the devices are infiltrated by a hacker the potential to cause disruption is enormous. The treats are two fold which can result in  denial of service attacks or the compromising of security leading to a breach of privacy. Last year saw a cyber attack on Dyn through the malware strain Mirai which targets vulnerable Internet of Things devices. The botnet used in this attack was made possible via a compromised digital video recorder.

These forms of attacks are only likely to increase in the future as “connected devices” do not have adequate security protection in place to prevent such attacks.

2.The Breaches

Yahoo

Yahoo announced in the space of a couple of months two major breaches of their user accounts. One occurred in 2014 and consisted of the theft of half a billion of their user accounts, the other in 2013 thought to believed to be nearer a billion. Both attacks were believed to be state sponsored.

These are two of the largest ever recorded compromises of personal information. It demonstrates that attacks of this nature are getting larger and that high profile companies are still a principal target for hackers.

Banks

Banks were hit hard by a number of cyber attacks this year ……. the list is a long one…..Bangladesh Central Bank where USD850M was stolen, Swift attacks on banks in the Phillipines and Vietnam and the Banco del Austro, attacks also took place in the Ukraine and a number of US and Canadian banks. In the UK there was Tesco bank, HSBC and NatWest all subjected to cyber attacks but with limited losses reported.

Cyber attacks on financial institutions have increased dramatically over the past twelve months and good cyber risk management should be a key consideration for this sector.

SMEs and Public Sector are now a focus for Hackers

This year saw SMEs being the subject of increased cyber attacks and demonstrating that they too have a real cyber risk which cannot be ignored. Ransomware attacks were seen at businesses such as hairdressing salons to florists. Local authorities and hospitals were also targeted, the unluckiest county was probably Lincolnshire with the county council being hit by a ransomware attack and various hospitals in Grimsby, Scunthorpe and Goole where their computer networks were compromised.

3.The Regulation

The Information Commissioners Office (ICO)

The ICO showed its teeth and fined TalkTalk £400,000 for various security failings following the cyber attack that took place last year. It is likely that we will see the ICO exercise these powers more and more in the run up to the General Data Protection Regulations when they come into effect in 2018.

General Data Protection Regulations

These were finally adopted in April this year and will come into force on 25th May 2018. The clock is ticking and all of business will need to assess what data they have, where it is stored and how they mange it, irrespective as to whether they are a data processor or data controller. The fines for a breach are 4% of gross annual turnover so non-compliance is not an option.

Privacy Shield

The Privacy Shield is now live coming into force on the 1st of August last year replacing the Safe Harbour.  There have already been some challenges to this notably by Germany, and its current framework maybe subject to change in the coming year.

What Else ….. ?

The Panama Papers, Brexit, Trump, the development of cyber insurance….. the list is endless.

This year has without doubt been a defining year for cyber risk….. 2017 will further shape the exposures and the vulnerabilities that businesses face from cyber risk.

Arrange a Conversation