The failure of enterprise to prepare for cyberattacks

Late last month, Zeitgeist went with friends to his local theatre to see “Teh [sic] Internet is a Serious Business”. The play, a story of the founding of the hacktivist group Anonymous, was the most well-publicised dawn of cyberattacks on businesses and governments. The organisation, at its best, set it sights on radical groups that promoted marginalisation of others, whether that was the Church of Scientology in the US or those trying to dampen the Arab Spring in Tunisia. This collective, run by people, some of whom were still in school, showed the world how vulnerable institutions were to being targeted online. We wrote about cybersecurity as recently as this summer, summarising the key points in a recent report from The Economist on what was needed to mitigate against future attacks and how to reduce the damage such attacks inflict. The issue is not going away (and in fact is likely to become worse before it gets better).

It was back in January that management consultancy McKinsey produced a report, ‘Risk and responsibility in a hyperconnected world: Implications for enterprises’, where they estimated the total aggregate impact of cyberattacks at $3 trillion. There is much to be done to avert such losses, but the current picture is far from rosy. Most tech executives gave their institutions “low scores in making the required changes”, the report states; nearly 80% of them said they cannot keep up with attackers’ – be they nation-states or individuals – increasing sophistication. Moreover, though more money is being directed at this area, “larger expenditures have not translated into an increased maturity” yet. And while the attacks themselves carry potentially devastating economic impact on a company, their prevention comes at a price too for the business, beyond the financial. McKinsey reports that security concerns are delaying mobile functionality in enterprises by an average of six months. If attacks continue, the consultancy posits this could result in “a world where a ‘cyberbacklash’ decelerates digitization [sic]”. Revelations about pervasive cyberspying by Western governments on their own citizens could well be a catalyst to this. Seven points are made in the report for enterprises to manage disruptions better:

1. Prioritise the greatest business risks to defend and invest in.
2. Provide a differentiated approach to defence of assets, based on their importance.
3. Move from “simply bolting on security to training their entire staff to incorporate it from day one into technology projects”.
4. Be proactive; develop capabilities “to aggregate relevant information” to attune defence systems
5. Test. Test. Test again.
6. Enlist CxOs to help them understand the value in protection.
7. Integrate risk of attack with other corporate risk analysis

Given the amount of business and social issues that involve digital processes – “IP, regulatory compliance, privacy, customer experience, product development, business continuity, legal jurisdiction” – there is a huge amount of disagreement about how much state involvement there should be in the degree to which enterprises must take steps to protect themselves. This is an important point for discussion though, and we touched on it when we wrote about cyberattacks previously.

But that report was way back in January, things must have solved themselves since then, right? Last week, PwC reported that corporate cyber security budgets are being slashed, even while cyberattacks are becoming far more frequent. The FT reported that global security budgets fell 4% YoY in 2014, while the number of reported security incidents increased 48%. Bear in mind these are only reported incidents. This is potentially no bad thing, if we’re to go by McKinsey’s diagnosis of too much money being thrown at the problem in the first place. At the same time, it’s not exactly comforting.

Only a few days after PwC’s figures were published, JP Morgan revealed that personal data for 76 million households – about two-thirds of total US households – had been “compromised” by a cyberattack that had happened earlier in the year. Information stolen included names, phone numbers and email addresses of customers. It was also revealed that other financial institutions were probed too. Worryingly, the WSJ reports that investigators disagree on what exactly the hackers did. It was also unclear who was to blame; nation state or individual. Such disagreements over the ramifications of the attack, the identity of the attackers as well as the delayed revelation of the attack itself, illustrate just how necessary transparency is, if such attacks are to be better protected against and managed in the future.

For those in London at the end of the month, The Economist is hosting an event for those who apply, on October 21, examining “how businesses can and should respond to a data breach, whether it stem from a malicious insider, an external threat or simple carelessness”. Hope to see you there.