By Matthew Lamb, Managing Director
I recently took a course on Managing Cyber Security Risk because it is an ever-present issue that all organisations, both large and small, face these days. Of course I took away many learnings, but I wanted to talk about one particular issue today; the number of ‘Threat Agents’ that are out there that we need to be conscious of when considering cyber security, or, more properly, undertaking a risk assessment. Naturally it will depend on what your organisation does as to the relevance, and therefore risk, of the list below but one thing that is certain is that the likelihood is very high of one of them affecting the confidentiality, integrity or availability of your data.
1. Nation States
Those companies that operate in certain sectors, e.g. telecoms, oil & gas, mining, power generation, national infrastructure etc., may find themselves a target for foreign nations either to disrupt operations now, or to give that nation a future hold in times of adversity.
We have heard many examples of this from the alleged Russian interference with the US Presidential elections, to Sony claiming that North Korea had been responsible for their sites being hacked in 2014 and more recently the concerns about Huawei providing 5G networks because of the possibility of them passing information to the Chinese government.
2. Non-target specific (Ransomware, Worms, Trojans, Logic Bombs, Backdoors and Viruses perpetrated by vandals and the general public).
There are so many times that companies have said to me “Oh we’re not going to be a target for hackers because….” But the number of random attacks that are going on every day is so vast (there are no accurate statistics on this to share here) that every and any organisation can become a victim.
The most famous example of a non-target specific attack is the WannaCry ransomware incident that affected over 200,000 computers in 150 countries. In the UK it shut down the NHS for several days. And, of course, there is the bored teenager in a loft somewhere just trolling the internet to find a weak link.
3. Employees and Contractors
Machines and software programmes are quite good at protecting against malware, unless it is a Zero-day virus. It is humans that are often the weakest link in the security system, either maliciously or accidentally.
Common mistakes such as sending an email to the wrong person happen but usually we realise the mistake quickly and are able to rectify the situation. Simple measures such as password protecting files can also help to mitigate the effects of such mistakes.
However unfortunately there are also disgruntled people out there who purposefully harm organisations from the inside. Recently Morrisons supermarket faced a case where a disgruntled internal auditor downloaded payroll and other HR personal data and published it on the internet. The ex-employee was convicted and sent to prison, but Morrisons was also fined because it did not have the proper technical and organisational measures in place to prevent this act (note that Morrisons is currently appealing against the fine).
There are also times when organisations need specialist help and so engage contractors, or external agencies, who need some access to their systems, or data. It is often these third parties that can cause a problem because they may not have the same levels of security on their devices that have access to the controller’s data.
4. Terrorists and Hacktivists (political parties, media, enthusiasts, activists, vandals, general public, extremists, religious followers)
Rather like the threat caused by nation states, it does depend on your activities as to the level of threat these agents pose. However some terrorists look to target certain industries or countries so there could be a persistent threat of a random attack against you.
Perhaps the most famous example of this would be the Wikileaks revelations in 2010 publishing over diplomatic cables and other documents relating to the conflict in Iraq and Afghanistan.
5. Organised crime (local, national, transnational, specialist)
Criminals are targeting personal data for a number of different reasons; credit card fraud, identity theft, bank account fraud and so on. These crimes are now being perpetrated on an industrial scale. Methodologies vary from phishing attacks to ‘Watering Hole’ websites, but the end result is the same; you and your data are being extracted and used for nefarious means.
According to the Credit Industry Fraud Avoidance (Cifas) 2018 Fraudscape report, the number of identity frauds increased once again in 2017, with almost 175,000 cases recorded. Although this was only a 1% increase compared with 2016, it’s a 125% increase compared with 10 years ago and 95% of these cases involved the impersonation of an innocent victim.
6. Natural disasters (fire, flood, earthquake, volcano)
Whilst not a cyber attack, these events can have the same net effect to your ability to do business. If you cannot access your offices, data centres, or files stored on the cloud, then you are still experiencing a data disaster, and this must be taken into account. In the UK the threat of earthquake is very low, but every year we see pictures of a town or city under water.
7. Corporates (competitors, partners)
The threat from a competitor stealing your intellectual property is obvious, but we are increasingly working with many partner organisations to fill gaps in skills and resources, or simply to provide services. These partner companies may steal, or reveal, your intellectual property, or the personal data you are storing, either unwittingly, or maliciously, depending on their motives.
Perhaps the example that exemplifies how partner organisations can be the cause of a breach is the attack on the US retailer Target in 2013. The hackers targeted (excuse the pun!!) suppliers and found a weak link with an HVAC contractor, Fazio Mechanical. By sending a phishing email to a Fazio employee, the hackers were eventually able to access Target’s point-of-sale systems. This gave them access to up to 40 million credit and debit cards of shoppers who had visited its stores during the 2013 holiday season. This has cost Target over $200m.
So what can you do about the risk of cyber attacks?
The obvious first step is to undertake a risk assessment on your current status and then to update it whenever this business-as-usual situation changes, e.g. moving into a new country, engaging a new supplier etc. Organisations also need to be managing their data security with a proper management system that reports on what threats it currently faces, and how it is defending against them, as well as scanning the environment for new threats.
Referring back to the GDPR, it constantly mentions implementing “technical and organisational measures” to ensure data privacy and security. Many organisations only rely on their technical measures (firewalls, anti-virus systems etc.) for protection and forget the organisational measures that also need to be implemented (training, access control reviews, business continuity plans, personal data breach plans, policies and procedures, contracts etc.). These organisational measures are critical because it is often the humans that make the mistakes; sending emails to the wrong person, clicking on phishing links, downloading personal data, or forgetting to properly implement the “joiners, movers and leavers” HR processes.
The Data Guardians has extensive experience in advising companies on data protection and data security risk management as well as helping companies to identify and implement the correct, and appropriate, technical and organisational measures, including conducting due diligence on the information security and GDPR compliance status of your data processors.
For more information please email us at email@example.com