Last month alone, Cathay Pacific revealed it had suffered a data leak affecting 9.4m customers, British Airways said 185,000 more people were affected by a cyber attack than previously thought, Yahoo agreed to pay $50m in damages for the biggest data theft so far, and Facebook announced hackers had gained access to sensitive information of 14m users.
Huge losses of personal data are by now a familiar story, even if the causes have changed. More than a decade ago, the UK government came under fire for losing 25m personal records after two discs were lost in the post. Then, advice from information security professionals focused on the importance of encrypting data and avoiding backing up systems to physical data tapes that could easily be misplaced.
The NotPetya attack of 2017 — which paralysed global shipping business Maersk, took out critical infrastructure in Ukraine’s banking system, and hobbled some of Europe’s largest companies — was an entirely new level of sophistication. The attack started with compromised third-party accounting software, which spread the attack through legitimate updates.
The prominence, severity and ubiquity of such attacks mean the message has been accepted generally by companies that they need to take cyber security seriously, and that they have certain specific responsibilities.
“NotPetya made all organisations sit up and take notice,” says Richard Horne, a cyber security partner at consultancy PwC.
A UK government survey published in April found that more than 90 per cent of large companies said their senior managers rated cyber security a high priority. Despite this awareness, “most organisations are still trying to get the basics right”, Mr Horne says. Such basics include keeping systems up to date, knowing where data is and keeping it contained.
The best companies are responding by making cyber security a fundamental part of how they expand as a business, he says, and thinking about where the risks are most likely to manifest. That could be in the form of ransomware — where hackers demand payment for returning access to data or for agreeing not to publish sensitive information — or, more recently, the unauthorised use of systems for digital coin mining.
For many organisations, getting to grips with cyber threats means they need to simplify their operations: decommissioning old IT systems, controlling the number of connections to the internet, and thinking about whether expansion to a new territory or product area could expose them to too much risk.
That concern spills over into mergers and acquisitions, where cyber security has become a much greater focus of due diligence efforts. “We’ve seen deals crater because of the standard of IT security of the target,” says Richard Cumbley, the head of technology and intellectual property practices at law firm Linklaters. There has been a big change in companies’ attitudes, he says. “IT security as an area of deal due diligence did not really come on the radar even three years ago.”
The shift in how companies approach dealmaking is part of a broader move to try to get ahead of cyber threats, says Paul Harragan, a senior cyber security specialist at EY.
“We’re seeing a holistic shift from cyber security strategy as reactive to proactive. The controls [many companies] have in place are very reactive — they only identify what’s already out there,” he says. “We’re noticing a shift to scenario-based testing — identifying scenarios which really could damage the business and testing them to understand how the company reacts.”
Simulating a cyber attack can help the board understand how to respond when a real breach occurs, advisers say. Some of the best-prepared companies might do dry runs with the board and senior managers many times a year.
New data privacy rules have spurred the increase in preparedness in Europe, and debate about whether new federal legislation is needed in the US. GDPR (General Data Protection Regulation), which came into force in the EU in May, requires companies to report certain personal data breaches within 72 hours of becoming aware of them or face fines that could be as much as €20m, or 4 per cent of annual global turnover — whichever is higher — a step-change from the regime that saw Facebook fined the maximum amount of £500,000 by the UK Information Commissioner’s Office over the Cambridge Analytica scandal over the abuse of data for political purposes.
Even if GDPR has increased companies’ awareness of data security risks, and the need to promptly identify and report breaches, businesses are still making mistakes, advisers say.
“GDPR has certainly increased awareness of [cyber security] issues, but the effectiveness of it as a tool to deal with some of the emerging issues is still questionable,” says Feng Li, chair of information management at Cass Business School.
Many companies are failing to match their investment to the pace of growth in cyber threats, Prof Li says. Others that outsource much of their security to specialists should recognise that they cannot eliminate the risk of reputational damage from a cyber breach and that the regulatory consequences still sit ultimately with the business.
While technological solutions are being developed, one of the main vulnerabilities is still the same as in the era of lost laptops and floppy discs, say advisers. Often the cause of a breach is employees not following internal policies or best practice: failing to change passwords, clicking on phishing links, or smuggling out valuable IP for financial gain.
“We’re humans,” says Prof Li. “We’re always going to make mistakes. Hackers are always going to look for vulnerabilities.”
Case studies: trends in cyber security
Cross industry frameworks
Siemens initiated the Charter of Trust for cyber security with partners Airbus, Allianz, Daimler Group, IBM, NXP, SGS and Deutsche Telekom. The charter established core principles and best practices for safeguarding the systems that underpin manufacturing, power grids and critical infrastructure. As part of its commitment, Siemens launched a framework to ensure that its cyber security efforts keep pace with digitisation by including security considerations in early stages of product development.
The company deploys an internal “friendly hacking” team to seek vulnerabilities in its own systems, and quickly informs customers of security gaps, software patches and proposed corrective measures. Siemens presides over a system of more than 1m devices connected to MindSphere, its operating system. The charter now includes 16 signatories.
AIG, KPMG, Norton Rose Fulbright
AIG, the international insurer, partnered with professional advisers to create the Cyber Edge service for corporate clients to help prevent and respond to cyber attacks and data breaches. It gives clients access to a combined consultancy service of breach coaches, forensics experts, lawyers and public relations professionals. The service helps contain any incident and manage the reputational, legal and operational problems it could raise.
Advanced technology strategies
The management consulting firm assisted a large US-based financial services company to investigate a potential breach in its mortgage processing unit. The bank uncovered instances of unauthorised access to client documents as a result of monitoring their online application service. To investigate the scope and identify which documents had been accessed, Ankura conducted a detailed study of the bank’s web server logs from over nine years. Working with the financial services IT team, Ankura’s global forensics unit was able to identify a subset of 0.03 per cent of the server logs as potentially exploited, including the relevant IP addresses and access locations.
CyberBox is a collaboration between law firm Bird & Bird and seven non-legal businesses: Aon, MHP Communications, Context, IRM, CybSafe, Smartgate Solutions and The Inkerman Group. Launched in 2017, the collaboration offers cyber security services for clients, including public relations advice, insurance, education, forensic IT and security consulting. Clients can select services to build a tailored approach in a crisis or develop greater resilience and ensure compliance.
Advanced technology strategies
The corporate investigations and risk consulting firm helped a client respond to a data breach and extortion attempt. While Kroll’s forensics team worked to track down the perpetrator, it put in place measures to reduce the potential impact of confidential data being disclosed.
This involved creating a “fog” around the perpetrator’s website and online decoys to misdirect anyone seeking to download the stolen data. They worked closely with lawyers to issue takedown notices and tracked anyone looking at the stolen data on decoy sites.
VMware and OneTrust
VMware, the subsidiary of Dell Technologies that provides cloud computing services, embedded privacy considerations into every operational process. It implemented OneTrust, a software tool that automates many of the processes businesses are required to undertake to comply with GDPR (General Data Protection Regulation) and other global privacy regulations. This enables VMware to maintain compliance standards and transparency in its operations.
PayPal and Enigma
End-to-end data collection and analysis
PayPal redefined its approach to risk and compliance by consolidating oversight of all risks into a single group and creating a new role reporting directly to the chief executive. This helps the company protect itself and others from data breaches. It also helps it collaborate and share information about unusual payments with international law enforcement agencies, which helps it thwart terrorism financing and child exploitation. With the help of Enigma, the data management and intelligence company, PayPal is implementing a system to capture data that will help it ensure better customer privacy protection.
More than 40 law firms and cyber security businesses established an international alliance to provide legal, compliance and technical solutions for companies dealing with security challenges. The alliance, which is led by lawyers at firms covering jurisdictions in six continents, is focused on combining legal and consulting services with technological tools and IT specialists to assist in data protection and deal with data breaches.
PwC was singled out in the research for this report for its team of cyber security experts, data privacy lawyers and operations specialists. It recently helped a large multinational corporation respond to a breach in which millions of customers’ payment details were stolen. PwC’s threat intelligence and forensics specialists investigated how the theft happened, identifying what was taken and helping to close the breach. At the same time, a crisis management team helped senior managers to come up with a communications strategy.
The reputation and privacy consultancy helped a prominent US recording artist whose unreleased album was stolen through a hack and leaked on the dark web. The firm’s cyber security experts used digital forensic techniques to track down the people responsible for the leak. The information was shared with law enforcement authorities, including the FBI, which led to an arrest on hacking and piracy charges. The Schillings team have helped the client implement more robust cyber security measures while lawyers pursue civil damages against the hackers.
Case studies research: RSG Consulting
This article has been amended since original publication to correct the number of signatories to the Charter of Trust (Siemens item)
Get alerts on Cyber Security when a new story is published