However, as the cybercrime landscape has evolved and attacks have surged, the transference of this risk between organisations and their insurers has become something of a problem. Ransomware strains like WannaCry and NotPetya played a big role in raising awareness of how malware is evolving. As the industry looks back at these two pivotal attacks five years on, it seems that they signify the ‘beginning of the end’ for affordable premiums and wide-spanning policies. While the WannaCry worm was reported to be the single biggest driver for cyber insurance enquiries in the first half of 2017, NotPetya brought insurance policies into question. In particular, Zurich Insurance managed to avoid pay-outs by citing its “war exclusion” clause, protecting the company from reimbursing costs related to damage from war. Labelled as a ‘watershed moment’ for the insurance industry, NotPetya catalysed the implementation of more rigid clauses and rising premiums to protect insurance companies.
Since these attacks, ransomware and other forms of cybercrime have been on an exponential growth curve. Today, premiums are at an all-time high, as insurers are no longer able to comfortably quantify the risk of such a changeable and dangerous environment. In fact, reports have found that the price of cover in the UK grew by 92% in the fourth quarter of 2021 alone. For enterprises looking to ensure survival post-attack, this means an enforced implementation of better cyber hygiene in an attempt to drive down costs, which ultimately can and should be viewed as a step in the right direction.
The environment for rising premiums
There are a number of factors feeding into the rise in cyber insurance premiums, one of which is undoubtedly the political uncertainty in the wake of the Russian’s invasion of Ukraine in February 2022. In terms of the conflict and the impact this has on the cyber world, tensions between the two countries have been long-standing and began to heighten, particularly in cyber terms, around eight years ago. Within a string of cyber-attacks launched against Ukraine since then, it is NotPetya that has been the most devastating – labelled the “most economically damaging cyber-attack of all time”. The ransomware initially targeted Ukraine’s financial, energy and government sectors, but it quickly spread indiscriminately causing billions in financial damage to western and even Russian organisations.
Considering Russia has again launched attacks on Ukraine, organisations around the world should be on high alert. As the former Chief of the National Cyber Security Centre (NCSC) has warned, we should be increasingly concerned about another NotPetya-style event and what a “spillover” from this could mean for the UK. For cyber insurers, the risk of attacks on government, large organisations and any smaller business linked within the supply chain is simply too high not to consider. Therefore, insurance premiums are inevitably sky-high.
NotPetya also formed the start of what can only be described as a ransomware crisis. Since then, breaches have led to fuel shortages and fears over food supply chains in the US, school closures in the UK and hospital disruption in Europe. The risk of ransomware is now not only critical, but also unpredictable. Operators are indiscriminate in who they target and, more often than not, are happy to target any weak organisation – from large charity to small supply chain partner. It is therefore unsurprising that cyber insurance companies are both increasing coverage costs and being more selective with who they insure.
Are rising premiums a good thing?
It is important to ask the question of whether cyber insurance, as an industry, may be exacerbating the issue of ransomware. If cybercriminals are aware that their financial demands will be no real loss to organisations who can quickly claim it back, will they be incentivised to target those that are covered? It is a quick and easy win, considering that research has found organisations with insurance are twice as likely to pay ransoms compared to those without it. This may be why insurers are taciturn about exactly what and who they pay out for.
It is also possible that insurance has previously bred complicity and laziness within cybersecurity. Teams may have seen their insurance policy as their central security strategy and not recognised the value of proactive protection. Yet given the current climate, this will no longer be the case. Costs will continue to rise and cyberattacks will continue to increase. For businesses to even be considered by insurers and be able to afford the cover, they will be forced to up their cyber hygiene and embrace a more security-focused culture. In this way, rising premiums can only be seen as a positive move that will manifest better security.
Securing cyber insurance
So, how do organisations demonstrate to insurers that they’re worth insuring at the lowest premium? Firstly, there needs to be a company-wide, top to bottom cultural shift that makes cybersecurity the responsibility of the entire team – not just the IT managers. This can start with education and training, conducted regularly and through phishing simulation that can test employees against the latest scams and feed back to insurers on how they’re performing.
Businesses must also be proactively and continuously detecting and mitigating threats on their network. For organisations that simply do not have the resource in-house for regular threat monitoring, but will still be a target for ransomware, working with a certified security partner is key. This is particularly pertinent considering the cyber skills gap that is making hiring in-house a huge challenge. With a security partner, organisations can benefit from access to greater expertise and resources, and draw on the aggregate value of cyber professionals with extensive knowledge of the cybersecurity landscape. An outsourced Security Operations Centre (SOC), in particular, can help protect businesses of all sizes with 24/7/365 threat monitoring and protection.
By demonstrating a security-first culture, with well-trained staff that can identify attacks, and implementing tooling and outsourced support to detect threat to your network, a business will be in far better situation to secure cyber insurance. While insurers are simply not prepared for the risk transference in the new era of ransomware and nation-state attacks, their stringent assessments of cyber hygiene may be what drives far better compliance in the coming years.
According to Pitchbook data, the total capital invested in cybersecurity deals grew at a CAGR of 30% per year between 2012 and 2019. In 2020, both the number and value of deals contracted heavily as a result of the global pandemic. However, as of July 2021, the cyberspace deal environment seems to have become red-hot again, with global deals worth €21 billion. 2021 could be a record year for cybersecurity deals.
There are multiple investors in the space, including cyber natives (young companies formed who provide cyber software or services), global consultancies, technology firms, professional services organisations, telcos, engineering businesses and defence companies. The US market is the most mature and advanced globally, but the UK and Europe are not that far behind. Alfonso Marone, UK Head of Deal Advisory for TMT at KPMG UK, delves into the topic/
Consolidation expected to continue
Although there are clear political divides between East and West, and although in some industries such as defence there is a need for obvious reasons to ‘buy local’ in terms of cyber services, we can expect to see consolidation in the global market, for a number of reasons.
Firstly, cyber is inherently a global issue – attackers can strike more or less anywhere, from anywhere. Secondly, software is an inherently suitable product category for scalability and market concentration. Thirdly, on the cyber services side, we also expect consolidation as providers look for economies of scale and scope, build client trust through having a global presence and also, as large international organisations, increase their chances of winning the cut-throat war for talent.
Investor challenges
However, there are a number of key challenges that investors need to overcome in order to realise effective deals:
- The maturity of potential targets: Cyber security is still a very young market and investors may need to invest at a somewhat earlier stage than they are used to in other sectors.
- Technical diligence: Can cyber security startups substantiate the claims they make about the efficacy and uniqueness of their product? Technical due diligence can be challenging.
- Technical integration: It can be a complex process to integrate acquired systems and services and make them interoperable with the existing suite, whilst achieving economies of scale to make it economic.
- Retaining key employees: When a small business is acquired, key staff including potentially the founder(s) may be hard to retain. But keeping them may be vital to the success of the integration due to their expertise and knowledge of the product.
- Off-limit sectors or geographies: In many countries, only local firms are allowed to serve customers in certain sensitive industries.
It is essential that investors recognise this set of very cyber-specific investment challenges. In my view - and experience of working with a wide range of clients across the sector - there are three considerations that are of utmost importance for interested investors throughout the deal cycle.
Three essential areas of focus
Firstly, deal origination. Given the fragmentation of the market and the fact that many potential targets are still relatively small, deal origination can be a challenge. Well-connected local deal sources are needed who can advise and alert a potential investor on targets that may have real substance and potential.
Secondly, pre-signing due diligence must be absolutely robust. This must include both commercial and technical due diligence.
Thirdly, the target operating model (TOM). The difficulties of technical integration that we have discussed, together with the employee retention challenges, mean it’s vital investors think in detail about the post-deal TOM they are aiming for and how that can be achieved in the integration of any target business.
The case for investment in the cybersecurity sector remains compelling. But, like anything that’s hot, it requires careful handling!
The retail banks were responsible for the highest number of reports (486) – almost 60% of the total. This was followed by wholesale financial markets on 115 reports and retail investment firms on 53.
The root causes for the incidents were attributed to third party failure (21% of reports), hardware/software issues (19%) and change management (18%).
The FCA has recently warned of a significant rise in outages and cyber-attacks affecting financial services firms. It has also called on regulated firms to develop greater cyber resilience to prevent attacks and better operational resilience to recover from disruptions.
According to the new data obtained by RSM, there were 93 cyber-attacks reported in 2018. Over half of these were phishing attacks, while 20% were ransomware attacks.
Commenting on the figures, Steve Snaith, a technology risk assurance partner at RSM said: "While the jump in cyber incidents among financial services firms looks alarming, it's likely that this is due in part to firms being more proactive in reporting incidents to the regulator. It also reflects the increased onus on security and data breach reporting following the GDPR and recent FCA requirements.
"However, we suspect that there is still a high level of under-reporting. Failure to immediately report to the FCA a significant attempted fraud against a firm via cyber-attack could expose the firm to sanctions and penalties from the FCA.
"As the FCA has previously pointed out, eliminating the threat of cyber-attacks is all but impossible. While the financial services sector emerged relatively unscathed from recent well-publicised attacks such as NotPetya, the sector should be wary of complacency given the inherent risk of cyber-attacks that it faces.
"The figures also underline the importance of organisations obtaining third party assurance of their partners' cyber controls. Moreover, the continued high proportion of successful phishing attacks highlights the need to continue to drive cyber risk awareness among staff.
"Interestingly, a high proportion of cyber events were linked to change management, highlighting the risk of changes to IT environments not being managed effectively, leading to consequent loss. The requirements for Privacy Impact Assessments as a formal requirement of GDPR/DPA2018 should hopefully drive a greater level of governance in this area.
"Overall, there remain serious vulnerabilities across some financial services businesses when it comes to the effectiveness of their cyber controls. More needs to be done to embed a cyber resilient culture and ensure effective incident reporting processes are in place."
Fig1: The number of cyber incidents reported to the FCA by regulated firms in 2018 broken down by the sector the incident impacted (source FCA):
| Impacted sector |
2018 |
% of incidents |
| Retail banking |
486 |
59% |
| Wholesale financial markets |
115 |
14% |
| Retail investments |
53 |
6% |
| Retail lending |
52 |
6% |
| General insurance and protection |
49 |
6% |
| Pensions and retirement income |
35 |
4% |
| Investment management |
29 |
4% |
| Total |
819 |
100% |
Fig2: The root causes of cyber incidents reported to the FCA (source FCA):
| Root cause |
2018 (Jan-Dec) |
% of incidents |
| 3rd party failure |
174 |
21% |
| Hardware/software |
157 |
19% |
| Change management |
146 |
18% |
| Cyber attack |
93 |
11% |
| TBC |
93 |
11% |
| Human error |
47 |
6% |
| Process/control failure |
45 |
5% |
| Capacity management |
25 |
3% |
| External factors |
17 |
2% |
| Theft |
11 |
1% |
| Root cause not found |
11 |
1% |
| Total |
819 |
100% |
Fig3: The breakdown of incidents in 2018 categorised as 'Cyber attacks' (source FCA):
| Cyber attack root cause breakdown |
2018 (Jan-Dec) |
% of incidents |
| Cyber - Phishing/Credential compromise |
48 |
52% |
| Cyber - Ransomware |
19 |
20% |
| Cyber - Malicious code |
16 |
17% |
| Cyber - DDOS |
10 |
11% |
| Total |
93 |
100% |
While the sheer number of credentials exposed in these leaks are astounding, it’s not surprising, as it only added to the billion plus passwords we already knew were floating around on the dark web. Below Andrew Shikiar, chief marketing officer of the FIDO Alliance, explains why the classic password is on the down.
What is surprising is the continued reliance of traditional username/password authentication, despite knowing it is easily breached and susceptible for compromise via credential stuffing attacks.
The problem of authentication has indeed risen to the forefront in recent years as a vast majority of publicised high-profile data breaches have been traced back to weak and shared credentials; usually a username and password combination stored in easily exposed, central databases that hackers can easily infiltrate. Even among IT professionals, who should lead the way when it comes to secure authentication, 69 percent share passwords with colleagues, and over half reuse an average of five passwords across business and personal accounts, according to a recent survey. With nearly 50% of shopping cart abandonment being due to password issues (per a Visa study) and a large proportion of costly IT support calls within enterprises related to passwords, weak authentication is also becoming an economic burden for many businesses.
The good news is that the tide is turning. Rather than encouraging users to change all of their online passwords – which more often than not results in easy-to-remember passwords being recycled across different accounts – website and app developers can now look to new web standards from FIDO Alliance and W3C for strong authentication that will enhance security while improving the user experience. As service providers start to turn on these capabilities, we’ll begin to see an accelerating shift away from passwords – which in time will consign credential leaks such as Collection #1-5 to history.
Mobile devices, PCs and web browsers are now shipping with the capabilities for strong authentication – combining cryptographic protection of user authentication credentials, which can’t be phished and in fact needn’t ever leave the user’s device, with a low-friction user. By building applications and websites that support new web standards for strong cryptographic authentication, developers can now leverage these authentication mechanisms that are literally already in their users’ hands — from fingerprint, iris, face or voice recognition in PCs and mobile devices to portable hardware security keys — to improve security for their businesses and their users.
As 2019 progresses we are surely going to see biometrics and other embedded authentication sources continue to contribute to an enhanced customer experience. The new version of 3D Secure, for example, will be optimised for mobile devices and enable the implementation of secure biometric user verification. Biometrics are likely to impact the financial services industry as well, given their potential to enhance organisational and consumer demand for transaction convenience, while ensuring compliance with regulations such as the Second Payment Services Directive (PSD2)
While this development is welcomed, the industry needs to continue to commit to creating and implementing technical standards and established best practices, which can also inform emerging government regulation around this technology. Organisations may not be able to eliminate all passwords immediately, but 2019 should be the year that dependency on them begins to decline, as companies look to improve processes and aim to eliminate the burden of managing them -- setting the stage for broader enablement of password-free online experiences as we head into the next decade.
In the last few years we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. According to Tom Turner, CEO at BitSight, there is a growing need for more effective risk management firms in the financial services sector.
One of the biggest reported attacks against financial organisations occurred in early 2016, when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank's funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. The Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.
Landscape
The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.
With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.
Risk management lifecycle
The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.
In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.
In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.
Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.
To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.
Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.
To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.
Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.
Reporting at each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.
Managing with risk transfer
Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk.
Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.
The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.
Long term potential
This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.
The arrival of the GDPR (General Data Protection Regulation) is less than a week away. However, many businesses are still not prepared for the legislation shake-up that could see huge sanctions imposed for non-compliance. Experts at UK based IT support solutions company, TSG, explain for Finance Monthly what the key considerations are when it comes to the finance sector.
If your business is unprepared for GDPR, you are not alone. A Populus survey conducted only this year revealed that 60% of UK businesses do not consider themselves “GDPR ready”. It’s definitely not too late to put measures in place to ensure compliance with the regulation. Following the introduction of GDPR on 25th May, complying with GDPR will be a continuous journey.
What are the key areas you should be considering in light of the looming GDPR deadline?
Cyber-security tops the list
In this digital world, we produce, store and disseminate huge amounts of data. And a significant portion of that will be Personally Identifiable Information (PII); this is the data that matters under GDPR.
Even if, as a business, you don’t store customers’ sensitive data, you’ll still store the data of your employees. Therefore, all businesses must put measures in place to safeguard that digitally-stored data.
Encrypt everything
Arguably the most valuable cyber-security tool at your disposal is encryption. Not only is it a robust way to keep your data inaccessible to cyber criminals, it’s the only method that’s explicitly mentioned multiple times in the GDPR. Should any PII data you hold fall into the wrong hands – whether deliberately or accidentally – encryption will render it unintelligible. Encryption can operate at a file, folder, device or even server level, offering the level of protection most suited to your business needs.
Review your policies and processes
The GDPR requires you to implement policies that detail how you intend to process personal data and how you will safeguard that data. It also states that data controllers – that’s your business – must “adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default.” All new policies, whether specifically related to GDPR or not, must be compiled with a ‘privacy by design’ model. Existing policies, including your data protection policy, privacy policy and training policy should also be reviewed in light of GDPR.
Don’t forget subject access requests
Much of the coverage of GDPR has focused on two areas: data breaches and the potentially eye-watering fines. An area that’s arguably been overlooked is complying with subject access requests. Individuals can request access to the data you hold on them, verify that you’re processing it legally and, in some cases,, request erasure of their data – also known as the ‘right to be forgotten’. Under GDPR you’ll have only a month to respond to these requests, otherwise you’ll be at risk of non-compliance. More guidance on this can be found on the Information Commissioner’s Office (ICO) GDPR guide.
Don’t forget your reporting obligations either
Another element that’s received significantly less coverage is your reporting requirements. In the event of a data breach, businesses must report it to the Information Commissioner’s Office (ICO) within 72 hours of discovery. It’s especially important to note this, as failing to meet this obligation could be considered a bigger breach of the GDPR than the data leak itself. Both Uber and Equifax have come under fire in the past year for covering up breaches, reporting them late and keeping the extent of the breaches under wraps.
A good example to follow is Twitter. Following the discovery of a bug that stored users’ passwords in plain text – which is a bigger deal than it sounds – Twitter not only reported on the breach, but immediately informed its users of the bug, what caused it and the potential repercussions, and advised customers on how to keep their data safe. The second element of this is critical to GDPR too – if the breach poses a risk to individuals’ “rights and freedoms”, the victims of the breach must be informed too.
The key takeaway
The GDPR wasn’t created to punish businesses or to catch them out, but rather to empower individuals and consumers. Whilst there has been a lot of confusion around exactly what has been required for businesses, it’s clear that cyber-security is imperative, as is clueing up on your reporting and response obligations. It’s important to note that simply experiencing a cyber-attack or data breach won’t automatically result in financial punishment; the GDPR clearly states that, should you prove you put in place measures to protect your PII data, you won’t be hit with the most severe fines.
Chatbots are quickly becoming the interface of choice for many organisations. In fact, a recent survey conducted by Oracle revealed that 80% of businesses want chatbots by 2020. While the advances in Artificial Intelligence (AI) and mobile technology have created a new set of tools for brands to communicate with, the technology itself has yet to reach a mature state, and is consequently strongly vulnerable to cyberattacks. This is according to Simon Bain, the cybersecurity expert and CEO of BOHH Labs.
Current bot solutions are not entirely secure and can create open passages for cyber criminals to access the data flowing through chatbot’s interface. In essence, this gives cyber attackers direct access to an organisations’ network, applications and databases.
Bain explains: “While bot technology has improved drastically in recent years, for maximum security, chatbot communication should be encrypted and chatbots should be deployed only on encrypted channels. This can be easily set up on an organisation’s own website, but for brands that use chatbots through third-party platforms such as Facebook, the security features are decided by the third party’s own security branch, which means the organization does not have as much control over the security features on the chatbot. Until public platforms offer end-to-end encryption in their chatbots, businesses should remain cautious.
“One of the biggest advantages in using chatbots is that they are a cheaper solution to customer service. They can serve and reach customers in a way that would otherwise require a tremendous amount of time and resources. This is an area where chatbots are gaining momentum, but instead of bots replacing entire customer service teams, organisations are working with them in tandem to improve customer satisfaction. However, as chatbots collect information from users, the information that is stored and the metadata must be properly secured. When running a chatbot, organisations must consider how the information is stored, how long it’s stored for, how it’s used, and who has access to it. This is especially important for highly regulated industries, such as finance, that will deal with sensitive customer information.”
“While there are clear advantages to integrating chatbot technology as a new communication tool, if companies aren’t made aware of the potential security risks, confidential data will be accessible by any determined hacker. Additionally, attackers may be able to repurpose chatbots to harvest sensitive data from unsuspecting customers.” Bain concludes.
(Source: BOHH Labs)
Last weekend, British shoppers were predicted to have spent almost £8bn on Black Friday sales – nearly four percent higher than last year. While this busy shopping period is certainly good for the British economy, it raises concerns about the opportunities for scammers and cyber criminals. Ross Brewer, VP and MD EMEA at LogRhythm, discusses for Finance Monthly below.
Indeed, all eyes have been on who – and there will be some – will fall victim to hackers’ increasingly persistent and clever tactics. Retailers are prime targets because of the confidential data they hold – whether it’s bank details, email addresses or personal information. There’s absolutely no doubt that cyber criminals will have tried to take advantage of the past week’s online sales peaks to access networks unnoticed or execute malware that has been sitting on the network for months. Retailers have a lot to prove when it comes to showing consumers that they are taking modern-day threats seriously.
As we only saw this week with Uber, it isn’t always a breach that makes headlines, it can be how it’s contained and disclosed. In such a competitive industry, retailers rely heavily on loyalty, which means reputation is key. They need to understand the true value of the data they hold and take the necessary steps to protect it.
Monitoring and detection is key
It’s hugely important that retailers are investing in tools that continuously monitors networks for any signs of a compromise. Indeed, online activity and network communications between components in the card processing chain need to be tightly controlled; a process that is specifically mandated by PCI-DSS. With time increasingly of the essence, it is also critical that, rather than simply scanning for threats and raising an alarm if something suspicious is identified, these systems are able to deliver actionable insight with supporting forensic data and contextually rich intelligence. Not only does this ensure that the right information is delivered at the right time, to the right people, but it guarantees that the appropriate context will be attached, significantly decreasing the amount of time it takes to detect and respond to threats.
Most retailers know by now that they cannot afford to take shortcuts when it comes to cyber security. With breaches now a case of when, not if, it’s essential that they are on high alert at all times – particularly during busy shopping periods. Despite growing concerns over the cyber threat, consumers are spending more and more money in store and online each year, but retailers cannot take this for granted. It only takes one data breach to damage a company’s reputation, hinder future sales and/or disrupt pending investments and deals.
The good news is that security intelligence has become so advanced that companies can now automatically detect a compromise as soon as it happens, enabling security teams to stop a cyberattack before any damage is done. With GDPR only a matter of months away, enterprise organisations and retailers are feeling the pressure to identify, mitigate and disclose an attack at the time that it happens. Only with rapid detection and response capabilities will retailers be able to take cyberattackers head on and protect their customers.
Below, Dave Polton, Director of Innovation at NTT Security, writes about the recent Cyber Week conference in Israel between June 25th and 29th.
Cyber Week Israel 2017 concluded with the main theme touting that 2017 is the year of the state sponsored attack. But what does this mean for the future of cybersecurity? This seemed to be split into three main themes that most, if not all, of the presenters touched upon:
United Cybersecurity – a premise that the only way we, as cyber defenders, are ever going to stand a chance at protecting our assets, is to join forces against our adversaries. The idea is that partnerships needs to be drawn not just within each industry vertical but across the entire industry with both public and private organisations.
Whilst this is not a new idea, the cyber week presenters challenged the industry to build solutions to overcome the objections many have to these partnerships. Just what we will see in this area is yet to be seen, but perhaps we will see some innovation in this space in the not too distant future.
A particular focus was given to the unification of government and industry where critical infrastructure was concerned which led to the second main theme.
IoT / OT / ICS – depending on where you get your statistics, the projected number of connected devices is expected to roughly be 50 billion. However, as we try to understand just how huge the problem may be, my main frustration is how the industry seems to keep interchanging the acronyms IoT, ICS and OT as though they all mean the same thing. I will try to simplify my view. An IoT is something that’s primary function does not require an internet connection. An OT requires a network connection in order to deliver its primary function. Arguably there are some grey areas but loosely this definition works.
Whilst we are starting to see some new innovative technologies to help protect OT, the messaging from an IoT perspective, is that IoT requires security by design, not an aftermarket technology solution. Just how much an organisation will invest in security by design will of course depend on the potential impact of a compromise. For example, one would hope that in the case of the autonomous cars the investment be high.
Cognitive Computing – a number of presenters referenced machine based learning, artificial intelligence, orchestration, automation and expert systems. I have grouped them under the term ‘cognitive computing’. Irrespective of the term that was used, the message was clear. In order to bridge the skills gap within the cybersecurity industry we need to leverage cognitive computing. I have blogged about this previously here.
When it comes to monitoring social media usage in the workplace, just half (50%) of companies have internet guidelines in place despite new research from A&O IT Group revealing that SME staff are spending up to 57%of their day on popular social media channels.
The national review was investigating the potential long-term impact of overlooking IT support including having adequate internet guidelines in place to reduce the risk of cybercrime that can often lead to technology breakdowns.
Despite a third (30%) of SMEs admitting that they had lost at least one full working day due to technology issues and over two-fifths of them (42%) admitting that have lost income due to IT issues, the research highlighted that over half (54%) of SMEs across the UK don’t have annual IT check-ups that could identify and prevent potential system issues.
The survey from the specialist SME and small business IT support service indicated that Facebook is the biggest draw on time for SME business owners employees, with 33% saying their staff accessed it during their working day, compared to 14 per cent for Twitter and 10 per cent Instagram.
The findings follow the launch of A&O IT’s specialist SME and small business IT support service in the UK market. The new technology enables SMEs to tap into the same levels of expertise and experience enjoyed by big businesses across the globe. This includes a complete managed IT service through to crisis recovery, cyber security, remote data back-up, annual IT reviews, hardware management and cloud services.
(Source: A&O IT Group)
Businesses are pressing ahead with their digital transformation plans, despite fears of being hit by a cyberattack or data protection regulations. This is according to a new independent research report from Advanced, which questioned over 500 senior executives in UK organisations about their attitudes to using the cloud as part of their digital transformation plans.
Most organisations surveyed are concerned about security (82%) and data protection (68%) in the cloud but, perhaps surprisingly, 80% of them are not put off from adopting the cloud following recent high-profile cyberattacks such as WannaCry. A third (33%) of organisations admit to being experienced in the cloud and continue to consider it for all new projects, while 37% have recently launched cloud computing projects for the first time.
Although positive, these findings should not negate the common concerns and challenges. The survey also found that businesses want better support if they are to execute their digital transformation plans effectively. Security is the biggest barrier, with 76% saying that governments should do more to protect businesses and their customers from a cyberattack.
Meanwhile, 82% of organisations want to see cloud providers do more to build confidence among those looking to adopt a digital transformation strategy, of which the cloud is fundamental. When asked what they look for in a provider, most say financial stability (69%), data held in a UK location (65%) and local support (58%) – above typical benefits touted by providers including scalability (46%) and the breadth of application offerings (38%).
Jon Wrennall, CTO at Advanced, says: “It’s encouraging to see businesses are undeterred from using the cloud, which is fast becoming the right choice for many to drive efficiencies, innovate and grow. Sadly we are seeing the same concerns around security and data protection reported over and over again. It’s right to be concerned about security; it’s time that all of us as cloud services providers take a reality check.
“As an industry and profession, we all need to proactively give clear guidance on security responsibilities and support organisations in being better protected, ensuring devices and applications are properly patched and secured – those writing the software are clearly best placed to provide this. With General Data Protection Regulation (GDPR) coming into force next year we also have a duty of care to provide clarity on how data is being stored and secured in the cloud.
“There’s still a job to be done in creating trust in the cloud and helping customers use the cloud in the right way for the digital transformation that’s right for them. Our survey shows most organisations want financially stable providers and prefer those that store data locally and offer local support; this will become even more pertinent as Britain leaves the European Union. They will trust the providers that offer certainty in an uncertain market and those with a vested interest in the UK and the cloud.”
The independent research was carried out following the results of the general election, during week commencing 12th June. Over 500 participants took part in the survey, which was carried out by Techmarketview.
(Source: Advanced)
This week, IBM Security and Ponemon Institute released the annual Cost of a Data Breach report.
This year’s report found that the UK experienced a decrease in the cost of a data breach, from £2.53 million in 2016, to £2.48 million in 2017. The average cost per lost or stolen record in the UK is estimated at £98.
Key points from the study include:
- Incident Response Leads to Significant Cost Savings: For the third year in a row, the study found that having an Incident Response team in place significantly reduced the cost of a data breach, saving $19.30 USD per lost or stolen record.
- Containment Speed Is Critical: The cost of a data breach was nearly $1 million lower on average for organizations that were able to contain a data breach in less than thirty days compared to those that took longer than 30 days.
- Room for Improvement: On average, organizations took more than 6 months to identify a breach, and more than 66 additional days to contain a breach once discovered.
- By Industry, Healthcare Breaches Most Costly: For the 7th year in a row, healthcare has topped the list as the most expensive industry for data breaches. Healthcare data breaches cost organizations $380 per record, more than 2.5 times the global average across industries ($141 per record.)
- Top Factors Increasing Cost of a Breach: The involvement of third-parties in a data breach was the top contributing factor that led to an increase in the cost of a data breach, increasing the cost $17 per record.
- Top Factors Reducing Cost of a Breach: Incident response, encryption and education were the factors shown to have the most impact on reducing the cost of a data breach. Having an incident response team in place resulted in $19 reduction in cost per lost or stolen record, followed by extensive use of encryption ($16 reduction per record) and employee training ($12.50 reduction per record).
IBM has also created a “Cost of a Data Breach Calculator,” which can use below.
(Source: IBM)
