The failure of enterprise to prepare for cyberattacks

Late last month, Zeitgeist went with friends to his local theatre to see “Teh [sic] Internet is a Serious Business”. The play, a story of the founding of the hacktivist group Anonymous, was the most well-publicised dawn of cyberattacks on businesses and governments. The organisation, at its best, set it sights on radical groups that promoted marginalisation of others, whether that was the Church of Scientology in the US or those trying to dampen the Arab Spring in Tunisia. This collective, run by people, some of whom were still in school, showed the world how vulnerable institutions were to being targeted online. We wrote about cybersecurity as recently as this summer, summarising the key points in a recent report from The Economist on what was needed to mitigate against future attacks and how to reduce the damage such attacks inflict. The issue is not going away (and in fact is likely to become worse before it gets better).

It was back in January that management consultancy McKinsey produced a report, ‘Risk and responsibility in a hyperconnected world: Implications for enterprises’, where they estimated the total aggregate impact of cyberattacks at $3 trillion. There is much to be done to avert such losses, but the current picture is far from rosy. Most tech executives gave their institutions “low scores in making the required changes”, the report states; nearly 80% of them said they cannot keep up with attackers’ – be they nation-states or individuals – increasing sophistication. Moreover, though more money is being directed at this area, “larger expenditures have not translated into an increased maturity” yet. And while the attacks themselves carry potentially devastating economic impact on a company, their prevention comes at a price too for the business, beyond the financial. McKinsey reports that security concerns are delaying mobile functionality in enterprises by an average of six months. If attacks continue, the consultancy posits this could result in “a world where a ‘cyberbacklash’ decelerates digitization [sic]”. Revelations about pervasive cyberspying by Western governments on their own citizens could well be a catalyst to this. Seven points are made in the report for enterprises to manage disruptions better:

1. Prioritise the greatest business risks to defend and invest in.
2. Provide a differentiated approach to defence of assets, based on their importance.
3. Move from “simply bolting on security to training their entire staff to incorporate it from day one into technology projects”.
4. Be proactive; develop capabilities “to aggregate relevant information” to attune defence systems
5. Test. Test. Test again.
6. Enlist CxOs to help them understand the value in protection.
7. Integrate risk of attack with other corporate risk analysis

Given the amount of business and social issues that involve digital processes – “IP, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction” – there is a huge amount of disagreement about how much state involvement there should be in the degree to which enterprises must take steps to protect themselves. This is an important point for discussion though, and we touched on it when we wrote about cyberattacks previously.

But that report was way back in January, things must have solved themselves since then, right? Last week, PwC reported that corporate cyber security budgets are being slashed, even while cyberattacks are becoming far more frequent. The FT reported that global security budgets fell 4% YoY in 2014, while the number of reported security incidents increased 48%. Bear in mind these are only reported incidents. This is potentially no bad thing, if we’re to go by McKinsey’s diagnosis of too much money being thrown at the problem in the first place. At the same time, it’s not exactly comforting.

Only a few days after PwC’s figures were published, JP Morgan revealed that personal data for 76 million households – about two-thirds of total US households – had been “compromised” by a cyberattack that had happened earlier in the year. Information stolen included names, phone numbers and email addresses of customers. It was also revealed that other financial institutions were probed too. Worryingly, the WSJ reports that investigators disagree on what exactly the hackers did. It was also unclear who was to blame; nation state or individual. Such disagreements over the ramifications of the attack, the identity of the attackers as well as the delayed revelation of the attack itself, illustrate just how necessary transparency is, if such attacks are to be better protected against and managed in the future.

For those in London at the end of the month, The Economist is hosting an event for those who apply, on October 21, examining “how businesses can and should respond to a data breach, whether it stem from a malicious insider, an external threat or simple carelessness”. Hope to see you there.

Cyberattacks and espionage – Risks and Prevention

It’s not quite as cool as Bond in his Tom Ford suit leaning on his wonderful Aston Martin while he plots his next move to unseat some despot. All the same, Germany’s recent apparent spate of typewriter purchases points to a renewed sense of fear of being overheard and compromised in an era of digitally pervasive content, vulnerable networks and indelible conversations. Spying and intelligence concerns coalesced with subject matter we’ve previously written about – including online privacy, governance, security and the internet of things – in a special report in last week’s The Economist, which produced eight articles on the subject of security in a digital landscape. Some highlights:

• Cybercrime is costly. The Centre for Strategic and International Studies estimates the annual global cost of digital crime and intellectual-property theft at $445 billion – a sum “roughly equivalent to the GDP of a smallish rich European country such as Austria”.

• Focus on prevention rather than reaction. As with many things, the best way to make sure cyberattacks aren’t too damaging to your business is to make sure they never happen in the first place. It’s more difficult (and costly) with digital security because the process can easily feel like a Sisyphean struggle; businesses invest in new technology only to see it circumvented by more hacking, perhaps exposing a different loophole or vulnerability. But an iterative approach is better than leaving the door open and spending more money after the fact.

• Honesty is the best policy. After being hacked, a company can find it hard to admit it. This is understandable. Not only is it somewhat embarassing, it admits to customers and shareholders that the company is vulnerable, but it also suggests that their data is not safe with said company; perhaps they should shop elsewhere. However, transparency in such a situation is paramount if others are to learn how to combat such attacks. One suggestion is that the US government “create a cyber-equivalent of the National Transportation Safety Board, which investigates serious accidents and shares information about them”.

• Who to complain to? The perpetrators of cybercrimes are no longer limited to the teenaged hackers of yesteryear. Though ideological groups like Anonymous serve as a disruptive influence, often the biggest problems are caused by the governments charged with protecting things like individual privacy, security and freedom of speech. From the US to China, authorities “do not hesitate to use the web for their own purposes, be it by exploiting vulnerabilities in software or launching cyber-weapons such as Stuxnet, without worrying too much about the collateral damage done to companies and individuals”.

• External trends point to a worsening of the problem. The Internet of Things as a trend will have billions of devices connected to each other via the Internet over the next few years. With one of the fundamental ideas being that the user isn’t really aware of the connection, the likelihood of spotting a hacked device becomes all the smaller. This isn’t a huge problem in cases like a connected fridge receiving spam email, but it becomes more of a problem when hackers can gain remote control of your car. One of the barriers to improved security for everyday devices is that the margins are razor-thin, as are the chips to connected to the devices, in order to keep the product small. Any added security software or hardware and the cost and size of the product increases.

Zeitgeist believe the risk to IoT devices will be one of the key areas that businesses and regulators will need to focus their efforts in the future. Because it is still a relatively fledgling sector, the issue is not being discussed yet in many places. Deloitte, in association with the Wall Street Journal, recently reported on the nature of cyberrisks and how companies can help mitigate them. Well worth a read.