In light of the recent cyberattacks that TSB and British Airways were faced with, Andy Barratt, UK Managing Director at cybersecurity consultancy Coalfire, delves into the trend for large corporates to be hit harder by IT glitches than their SME peers.

It seems barely a week goes by without the world’s news channels breaking the story of a major cybersecurity incident affecting yet another household-name business. In the last month alone, we’ve seen CEOs fall on their swords, the value of shares plummet and hundreds of thousands of people urged to re-secure their online accounts after IT failures and malicious attacks caused widescale disruption.

In the modern age, no business is safe – either from external threat or from itself. The IT saga that engulfed TSB this summer, and ultimately cost the bank’s CEO Paul Pester his job, is an example of a big business causing itself a monumental headache through poor risk management.

Bank customers were left without access to their digital accounts for weeks as TSB tried to migrate its clients’ account details across from its existing IT platform to that of its new Spanish owner, Sabadell. When IBM was called in to consult on the issue, it quickly became apparent that insufficient testing had been carried out in advance to ensure the transfer process would run smoothly.

Customers, MPs and journalists alike have since accused TSB of having its head in the sand over the incident, failing to get to the root of the issue quickly enough and keeping customers in the dark. The question on the public’s lips was ‘how could this happen to a business with presumably vast security resources?’.

Corporates miss security sweet spot

The answer is that behind the curtain – and contrary to accepted wisdom on cybersecurity – large enterprises are often not the best prepared to protect themselves against cyber risk, despite having bigger budgets and more resources. Coalfire recently conducted its inaugural Penetration Risk Report, which tested the cyber defences of enterprises of various sizes across sectors including financial services, retail, healthcare, and tech and cloud services. The research involved simulating planned cyber-attacks against the businesses – a practice known as penetration testing - to identify weak spots in their security armour.

A financial services organisation fared better that most. But even in this comparatively well-performing sector we found that large enterprises were not the most secure, despite having the most substantial cybersecurity budgets. Instead, it was mid-sized firms that found the sweet spot in terms of protecting their assets and mitigating their security risks.

So why doesn’t bigger spend correlate to improved security?

It’s worth noting at this point that TSB’s issue was not caused by malicious intent or outside interference. However, the incident highlighted a disturbing lack of understanding running throughout the business that is indicative of how large corporations expose themselves to risk.

Culture shocks

Business leaders must become comfortable hearing about problems and technical risk when it comes to IT. Often in large organisations, there is a mindset that the board doesn’t want to know about a problem, so risks are constantly re-framed and cracks painted over.

Consequently, senior executives often don’t have visibility of deeply-rooted issues and, ultimately, make decisions that don’t factor those risks in. This can be particularly unhelpful when businesses are looking to innovate as investment in new technology (mobile banking, rapid deposit taking, etc.) is hamstrung by existing technical challenges.

This mindset where boards are in the dark often occurs in organisations where a culture of blame is prevalent. We must move to a corporate environment where staff feel comfortable elevating issues to management rather than patching them up.

In the worst-case scenario, this disconnection between boardroom and shop floor can leave senior spokespeople fronting up to the media with little understanding of the issues that have embroiled their business in controversy. Highlighting how it should be done was British Airways’ Chief Executive Alex Cruz, who was quick out of the blocks to publicly communicate a detailed understanding of the specifics after the flight operator discovered a malicious breach in September.

Heads will roll

In the immediate aftermath of TSB’s IT failure, the Financial Conduct Authority accused the bank’s leadership of ‘portraying an optimistic view’ and failing to adequately communicate the extent of the issue to the public. The bank apologised unreservedly but the real question remained about its competence and whether TSB’s leadership understood, or was on top of, the job at hand.

While it would be unreasonable to expect the CEO of every UK bank or FTSE 100 business to be an expert on IT and cybersecurity, ultimately the buck stops with them. Given the monumental disruption to reputation and performance, there are a lot of lessons senior leaders can learn from the case of TSB.

Partner networks

Large businesses can also be put at risk due to the security shortcomings of the many partners they work with. This issue was evident when Ticketmaster was subject to a supply chain attack earlier this year. In this case, hackers used code supplied by Ticketmaster’s chatbot operator to extract payment details from its website after the code in question was incorrectly repurposed by Ticketmaster’s in-house team.

Similar activity was likely at play for the British Airways data breach, where data was lifted live from its website most likely via third-party code. BA is a regular participant in industry forums and best practice initiatives, and yet has still been affected, highlighting the risk big businesses face through their extended network of partners. Airlines in particular are at risk of attack because they frequently rely on complex infrastructure and shared services provided by airports, booking agents, aggregators and global distribution systems. Many don’t meet the security compliance rules we set here in the UK.

The same can be said for the financial services industry where there is constant interaction between myriad third parties and their affiliated platforms. For businesses of this size, resilience in the face of an attack is the modern approach. Always assume that someone will find a way in. Responding to that quickly will enable you to minimise loss.

To err is human

It’s also worth considering the somewhat unavoidable risk human threat poses to large institutions given the number of people they employ. It goes without saying that the potential for human error increases exponentially the bigger a work force is.

Our Penetration Risk Report found that people remain companies’ biggest weakness – across all sizes and sectors. Whether through human error or creating opportunities for social engineering hacks, the chances are that your staff will be your cybersecurity Achilles’ heel.

Accountancy giant Deloitte was targeted last year as hackers got hold of confidential data via an administrator’s account which had only single-factor authentication in place. In this case, it’s likely that access was achieved after the account password was exposed through phishing – where hackers pose as a trustworthy entity (usually via email) to obtain sensitive information such as usernames and passwords.

GDPR

Fortunately for the majority of the businesses mentioned in this article, the breaches and failures fell before the arrival of GDPR. British Airways, however, is the first high profile business to experience a major data breach since new rules came into force in April. The new rules outline that a business can be fined as much as 4% of turnover if it has failed to take technical precautions to protect its customers’ data. Unfortunately for BA, if it is found to have failed in that duty of care, then its fine could total £489million.

On top of reputational damage, the proportionate nature of GDPR means that, more than ever, cybersecurity is an issue big businesses can’t afford to get wrong. The days of thinking ‘bigger is always better’ are numbered.

ABOUT COALFIRE

Coalfire is the trusted cybersecurity advisor that helps private and public-sector organisations avert threats, close gaps and effectively manage risk. By providing independent and tailored advice, assessments, technical testing and cyber engineering services, we help clients develop scalable programs that improve their security posture, achieve their business objectives and fuel their continued success. Coalfire has been a cybersecurity thought leader for more than 17 years and has offices throughout the United States and Europe.

For more information, visit Coalfire.com.

ABOUT COALFIRE LABS

The Coalfire Labs team leverages highly skilled penetration testers with focused expertise in helping organisations of all sizes improve their security posture by thinking and acting like an attacker. Coalfire Labs simulates threats, evades your defences, and hunts for active breaches in your environment, and then helps you understand the risk and impact to your organisation.

Mark Roper, Commercial Director at Collinson Group discusses a bank’s role in preventing fraudulent activity.

Telco TalkTalk suffered its second data breach in a year recently, as the Wi-Fi codes of 57,000 customers were revealed, while in December a cyber-attack on Tesco Bank forced the company to repay £2.5 million of losses to over 9,000 customers.Experts claim that customers who don’t bank with Tesco Bank were also left at risk of cybercrime because the bank issued sequential debit card numbers, which means it is easier for hackers to work undetected as they move through customer accounts quickly. While cyber threats aren’t just of concern to financial organisations, these high-profile cases have ensured that banks recognise the need to invest more money in protecting customer’s data at wearehivemind.com.

The scale of fraud continues as internet use grows. In Singapore alone, 72 per cent of residents have experienced cyber-crime in their lifetime. The cost of which almost exceeds US$1 billion. Meanwhile, cyber-attacks are predicted to cost Middle Eastern economies more than US$100 billion by 2020. Social media also plays its role in identity fraud. In 2015 there was a 52 per cent rise in younger victims of cybercrime in the UK due to their use of social networks.

For decades, financial services organisations have provided add-ons to accounts and cards that protect someone’s computer when it stops working, an antique when it gets broken, or luggage when it gets lost. But, when a customer’s identity gets stolen there are few products on offer that either help to resolve the matter quickly or better still prevent it from happening in the first place.

The current scenario

It’s pretty much impossible not to interact with a financial services brand online now almost 60 percent of us use online banking. Not only does it provide a valuable service to customers and deliver cost efficiencies, it also enables banks to collate, analyse and use this data as an important asset. It helps them to understand their customers’ behaviours and tailor products and services to them that encourage customer loyalty.

Most of us do not think twice about where their personal information is being stored online, trusting that it is being protected. Banks should ensure that their customers understand the benefits of ID protection, and the impacts of phishing. When we polled 6,125[3] of the top 10-15 percent of earners globally (the middle-class mass affluent), we found that there’s a strong demand for ID protection with 57 percent of consumers seeing ID protection as a valuable product. Looking across generations, it’s the millennials (62 percent) and generation X (58 percent) who rate ID protection as more important than the global average.

With more of our personal data being stored online, it’s not clear why identity theft protection is rarely provided as a benefit on a card or account, or within a loyalty programme. It is certainly not due to a lack of consumer demand.

As the facilitators of online transactions and holders of valuable data, retail banks could seize the opportunity to provide their customers peace of mind and enrich their digital experiences by offering identity protection products.

An opportunity for financial service providers

With the falling of the interchange fee credit card loyalty programmes aren’t as lucrative they once were for banks. This creates a strong argument for banks to provide ID protection as a value-added benefit. When Collinson Group conducted their mass affluent research, it was revealed that only 13 percent purchase it from their bank; much lower than specialist providers (22 percent) and credit card providers (20 percent). Educating customers on the importance of online protection and offering specialist products will help banks re-establish trust with their customers, encourage a better digital customer experience and help build brand loyalty.

At Collinson Group, we recommend that banks consider three points. How do their customers …

1. Mitigate risk of public or stolen personal information online

Criminals scan the internet for personal information that can be used illegally or traded on the ‘dark web’. Banks need to be providing online monitoring platforms to mitigate the risk of customers falling victim to identity crime.

 Monitoring solutions will alert customers when they are in danger of fraud or identity theft, and classify the level of risk. Details of any potential security risks or breaches can be viewed and assessed, so that action can be taken as required.

2. Protect lost or stolen cards and documents

 Card and document assistance helps keep a customer’s identity secure in the event that cards, documents, and data is lost or stolen. Assistance in blocking or cancelling lost or stolen cards, while making sure that copies of important documents are stored securely for easy retrieval, will allow access to missing items without delay.

3. Protect personal information when online, across multiple devices

 Today’s consumers access services and information across a variety of devices. Whether customers use their desktop, or a mobile while on the move, protection from phishing and key-logging attacks (two of the fastest-growing online threats) can be offered.

Final thoughts

Banks have provided additional products to protect our homes, cars and livelihoods as part and parcel of their services for years. As more of us spend time on social media, and indeed the vast majority of transactional banking is done online, banks need to help us protect our identities and personal information from fraud too. Ensuring consumers understand the importance of ID protection, and providing it as an additional customer service will help banks build trust with their customers and build loyalty towards their brand.

In the light of the highly anticipated new General Data Protection Regulation, which will come into force on 25 May 2018, this month Finance Monthly reached to Alan Calder – the founder and Chief Executive of the single-source provider of products and services in the IT governance, risk management and compliance sector – IT Governance. Alan is an acknowledged international cybersecurity guru and a leading author on information security and IT governance issues and over the next couple of pages he discusses all things data protection and GDPR.

What are the common issues that businesses face, with regards to data protection? How can these be avoided? What should be the main data protection considerations for businesses?

In 2016, a large number of high-profile organisations suffered a data breach or were targeted by cyber-attacks. In executing cyber-attacks, criminals rely on exploiting weakness: well-known methods such as phishing scams and spear phishing exploit human gullibility, weak and unchanged default passwords, unpatched, vulnerable and outdated software, all allow attackers and malicious code into your systems.

Every organisation should tighten up in the three main areas that attackers target: their people, their processes and their technology. Clients can protect themselves with anti-malware, or by switching on a firewall but that's only one part of the cyber security.

Criminals also take advantage of internal staff and employees unaware of the current cyber threats to get access to the organisation’s most valuable assets.

To prevent “around 80% of cyber threats” and implement a basic level of cyber security, we encourage organisations to achieve certification to the UK Government-backed Cyber Essentials scheme. The scheme allows organisations to identify vulnerabilities in their system and implement security controls. We recommend using Cyber Essentials to stop low-level attacks, and adopting it in addition to ISO 27001, the international best practice for information security. An ISO 27001-compliant information security management system (ISMS) encompasses people, processes and technology.

Organisations can put antivirus software and firewalls in place to protect themselves from malware, but employees still represent the weakest link in information security. ISO 27001 not only addresses the ‘people’ area of cyber security but also monitoring, maintenance and continual improvement of information security. Certification to the Standard demonstrates to staff, customers and stakeholders that an organisation has taken all the necessary measures to protect their information.

What rules govern companies that have access to more sensitive information (health records and criminal records for example)? How is this information protected by the Data Protection Act?

Organisations collecting and handling the personal data of European residents will be required to comply with the General Data Protection Regulation (GDPR). In addition to this, digital service providers and organisations providing essential services in critical sectors such as healthcare, energy, banking, transport and distribution will be required to comply with the Network and Information Systems (NIS) Directive.

While the GDPR imposes a 72-hour breach notification deadline for reporting personal data breaches, the Directive mandates that organisations notify supervisory authorities every time there’s a significant impact on the delivery of the organisation’s service. The Directive requires essential services and digital service providers to implement “appropriate and proportionate” security systems.

What consequences face companies if they do not adequately protect their clients’ information?

Under the GDPR, which is set to come into force in May 2018, non-compliant organisations can face fines of up to €20 million or 4% annual worldwide revenue – whichever is higher. As most failures to comply will be revealed by data breaches, these administrative fines – which are discretionary, levied on a case-by-case basis and must be “effective, proportionate and dissuasive” – will be in addition to the costs of remediating the breach and mitigating the loss to affected data subjects.

What consists of adequate protection of data? What methods can companies put in place to ensure that their clients’ information is protected to a high standard?

To implement adequate data protection measures that help organisations ensure their clients’ data and information is protected to a high standard, we encourage organisations to first comply with the GDPR. Conducting a data flow audit and data protection impact assessments are essential steps towards GDPR compliance as they help organisations identify where data is stored and reduce privacy risks by identifying efficient and effective processes for handling data.

However, as Internet-based activities become integral to everyday operations, so do cyber threats. Technology alone (e.g. software and antivirus) is not enough for businesses to protect their data. By implementing an ISO 27001-compliant ISMS, organisations can prevent threats resulting from human error, faulty processes and flawed technology with an overall strategic and operational approach to information security. Accredited certification to ISO 27001 proves to clients, stakeholders and third parties that the company is following international information security best practice.

What is the purpose of a data protection audit? What type of company benefits from a data protection audit?

Every organisation worldwide can benefit from a data protection audit. It helps identify potential data protection issues and allows organisations to address key risk areas. A data protection audit is the first step organisations need to take to comply with the GDPR. The main benefits of the audit are visibility over data flow, insight into the development of effective strategies to protect personally identifiable information (PII), improving data lifecycle management, identifying efficiencies related to processes, systems and protocol, and reducing privacy-related risk.

More importantly, an audit improves customer satisfaction by reducing the possibility of data breach that could lead to the client submitting a complaint or even potential lawsuits.

What are the particular legal issues that UK businesses face in relation to new technologies? How do you assist clients with developing appropriate IT policies?

IT Governance helps organisations save the time and cost of developing appropriate policies and procedures for standards such as: ISO 27001, PCI DSS, and ISO 9001 through various documentation toolkits. Each toolkit contains pre-written model policies and procedure templates which account for all the key issues in compliance with all aspects of the standards. The toolkits are developed by our in-house information security experts to fit our clients’ compliance requirements and are designed to help organisations accelerate their compliance projects by ensuring that all control areas are covered and carefully addressed.

Additionally, our risk assessment software vsRisk, helps organisations carry out ISO 27001-compliant risk assessment by providing a simplified and automated risk assessment process that fits for the needs of large and small companies.

Do you see the need for any legislative change regarding data protection in the UK?

The primary change in data protection legislation of which organisations should be aware is the GDPR superseding the Data Protection Act (DPA). The GDPR aims to harmonise data protection laws currently in place across the European Union’s member states. Organisations have less than two –years to transition, during which they need to update policies and procedures, potentially appoint a DPO.

What has been your flagship piece of work and how did you apply particular thought leadership to this scenario?

We were the first organization in the EU to launch an integrated portfolio of GDPR guidance white papers, webinars, books, documentation toolkits, practitioner and DPO training, transition and compliance consultancy and online staff awareness training. Our management and privacy team identified all the major transition and compliance issues thrown up by the GDPR and, at a point when most UK businesses were wondering whether or not GDPR would apply post-Brexit, we established that it would not only apply but is likely to become integral to UK law for many years after Brexit. Since then, both the government and the ICO have confirmed the position we took and our GDPR portfolio has become the fastest-growing area of our business.

 Career Highlights:

• Alan is a frequent media commentator on information security and IT governance issues, and has contributed articles and expert comment to a wide range of trade, national and online news outlets.
• Writing the definitive compliance guide,IT Governance: An International Guide to Data Security and ISO27001/ISO27002 5th edition (co-written with Steve Watkins), which is the basis for the UK Open University's postgraduate course on information security.
• Alan was a member of the Information Age Competitiveness Working Group of the UK Government's Department of Trade & Industry, and a member of the DNV Certification Committee, which certifies compliance with international standards including ISO/IEC 27001.