Cybercrime - Risk and Potential Cost.
Andrew Fleming ICA AML DipF - Financial Crime Consultant at TORI Globa
2015 was a busy year for cybercriminals, their attacks on companies such as Talk Talk and Ashley Maddison generated massive amounts of negative publicity and severely damaged the reputation of the companies and individuals involved. It also called into question the leadership and control of those companies and led to some high profile resignations. Specifically it questioned their understanding of the risk that they were exposed to and the porous systems and structures that they had put in place to manage that perceived risk.
When dealing with risk it is essential that you know all the risk factors that you are exposed to and more importantly that you understand those identified risks. Once this is done you can categorise the risks and prioritise your resources appropriately. On a basic level you are trying to remove potential risks, avoid them, reduce them and in the final stage accept them if they fall within your carefully defined risk appetite. Managing risk comes at a cost, data management systems aren’t cheap, training invariably isn’t free, compliance, governance and controls structures are an ever increasing cost, cybercrime is increasing as a threat and getting the right staff to mitigate your risk exposure is becoming more and more difficult. Consequently regulatory authorities understand that companies need to spend their money sensibly and to concentrate their resources where they perceive the greatest threat to the business lies. This means they expect companies to take all reasonable steps to reduce the risk that they are exposed to, especially if this involves customers data, they don’t however expect them to bankrupt themselves in the process.
To assist companies the UK government and the insurance industry published, “UK Cyber-Security: The role of insurance in managing and mitigating risk. This document highlighted how companies could best manage their cybercrime risk exposure, introduced industry good practice, Cyber Essentials and the ten steps to cyber security which are as follows;
- Establish an effective governance structure and determine your risk appetite.
- User education and awareness
- Home and mobile working protocols
- Secure configuration
- Removable media controls
- Management of user privilege controls
- Implementation of a critical incident management structure
- Effective monitoring controls
- Malware controls
- Network security
These ten essentials are not yet mandatory but as the cyber threat increases it is likely that we will see insurance firms requesting that they are implemented as a minimum. Failure to implement them may result in insurance firms refusing to pay out or reducing what they pay out, which in some cases may be a substantial amount. If you think that this is unreasonable, we only have to look at the retail market where this is common practise, for instance if you leave your keys in your car and your car is stolen, you are unlikely to be covered by your insurance, in a similar vein if you went on holiday and left your front door open, would you expect your insurance company to pay out for your negligence? Industry has a duty to act responsibly, it is expected to manage its risks effectively and most importantly to protect its clients data. It cannot expect another company to bail it out financially when it has failed to implement the basic requirements that the government and insurance industry have set out.
In the 2014 Information Security Breaches Survey sponsored by the Department for Business Innovation and Skills, it was reported that 81% of large companies had reported a breach and that the average cost to the company was between £600,000 to £1.5 million. In 2015 the Ponemon Institute released its annual Cost of Data Breach Study: Global Analysis, which estimated that the average consolidated total cost of a data breach in the UK was £2.37 million. The study also estimated that the average cost for each lost or stolen record was £104. To put this into perspective the cost to Ashley Maddison was estimated to be £1.2 billion and to Talk Talk it was estimated at £4 million, these figures do not include legal fees, loss of custom, any fines, the damage to reputation and the share price and of course the cost of implementing a new data security management system. Getting it wrong is not a cheap option.
Another worrying statistic is that the average length of intrusion runs at six months before detection, which obviously calls into question the effectiveness of internal anti-malware detection systems. Companies need to ensure that their boundary firewalls and Internet gateways are appropriately configured to prevent unauthorised access to or from private networks, that their systems are configured in the most secure way, that they have implemented an access control strategy that restricts internal access to those who have been given specific authority to enter certain areas (need to know, not seniority) and that their malware protection is up to date and regularly tested. Even after this is done we are still vulnerable, in the 2015 Verizon Data Breach Investigation Report it stated that 95% of breaches occurred as a result of a user being compromised and most cybercrime professionals work on the assumption of when, not if, a breach will occur.
The modern cyber threat landscape is changing and companies need to understand that both they and their customers are the target. Hackers are no longer just the occasional script kiddie in a darkened room, they are often well organised, well-funded organised crime groups intent on making money from your data, or collectives with a political cause to promote. In some cases it could even be a hostile foreign country trying to work out how to shut down critical infrastructure in the time of war, a rival business intent on stealing your intellectual property or trying to identify what you are willing to pay in a hostile takeover. Understanding that your information can be monetised or exploited is the first step to understanding the value it represents and the potential risk that you are required to manage.
An addition consideration that you will need to address is the new EU General Data Protection Regulation 95/46/EC (GDPR) which is due to be ratified. Although it will take two years to be fully implemented across European member states, the new legislation will introduce fines of up to 4% of worldwide turnover or €20 million (sanctions are still being ratified and this may rise to €100 million) for data breaches, whichever is higher. A two percent figure will apply for more minor breaches. It will apply to non-EU companies doing business in Europe and could represent a significant cost to a company in the case of a significant data breach where it was judged that they were negligent in their protection of the data.
Cybercrime, cyber-enabled crime, fraud and financial criminality is increasing year on year. We need to adapt to the changing threat landscape to protect our valuable data and prevent prosecution by the regulatory authorities. Companies need to have well tested contingency plans in place to manage breaches and ensure that any data loss is limited. Care must be taken to identify your critical systems and what must be protected at all costs, you cannot protect everything. Recognising threats and vulnerabilities such as your staff, customers and service providers is just part of the process, as is training your staff to recognise phishing emails and reporting suspected breaches or suspicious activity within a system. Implementing layered firewalls, using sandboxes, segmenting access, investigating the unknowns within the system, utilising fuzzy logic programs to identify unusual behaviour and investing in regular penetration tests are all part of the solution, as is, I suggest, obtaining a Cyber-essentials certification, which may in turn reduce your insurance premiums and offer some form of protection from a prosecution under the GDPR.
The one thing we cannot do is stand still or assume that we’re safe from an attack