A ‘cyber attack’ generally refers to unintended effects happening to the data and information that an organisation has responsibility for. Most commonly this data can be breached in 3 different ways:
- Confidentiality – someone has it who shouldn’t
- Integrity – the data has been changed without permission and control
- Availability – access to the data has been denied
Cyber attacks can either happen through a deliberate action by someone targeting the data or accidentally by not having appropriate security measures in place. Attackers can be external or internal to an organisation. An internal threat is currently considered the most worrying - people using their legitimate permissions for system access to do damage either maliciously or accidentally.
Perhaps worse than a detected breach is an undetected breach when competitors or criminals have access to a system and make use of the data that lies there without the knowledge of the owner. Although this article focuses on online attacks, other data breaches can arise from eaves-dropping, social engineering and physical security (to name just a few) all of which can result in breaches in confidentiality, integrity or availability of data.
Examples of common cyber attacks
The most topical low-level issues at the moment are “phishing”, which involves seemingly authoritative e-mails to finance departments and legal firms directing a change in payment instructions; system interruption via malware; and disgruntled employees stealing Intellectual Property Rights (IPR).
More sophisticated attacks include system interruption, ransomware and covert IPR theft. New attacks on the ‘Internet of Things will exploit:
- Confidentiality -surveillance cameras that give a view of sensitive areas
- Availability - sensors feeding data to a central point
- Integrity - false readings or worryingly false instructions e.g. to cars
What impact can cyber crime have on my business?
Cyber-attacks on big companies make good news stories however smaller businesses suffer cyber-attacks on a daily basis which usually don’t get reported as a crime. Smaller companies are particularly vulnerable if they form part of the supply chain to a larger target and share privileged IT system access.
Cyber crime results in financial and reputational damage requiring unplanned and often significant expenditure to recover. Business owners and CEOs are also liable to personal fines from the Information Commissioners Office, if it can be proved they failed to ensure adequate security measures were in place.
The Department for Business Innovation and Skills cyber report 2015 suggests the average cost is between £75k - £311k for small businesses and between £1.46m to £3.14m for large organisations but it can potentially bring a business down, depending on the sensitivity of the data.
How do I protect my business from cyber attacks?
Examination of the measures that an organisation can take to protect itself from cyber attacks is a big and complex subject. It cannot be covered in such a short blog but there are lots of things that can be done. Their cost and scope depends entirely on the risk appetite of the business owner and the nature of the system(s) used to hold sensitive data.
Even with significant investment the risk is never “zero” so companies must identify their risks and decide on a mitigation strategy. This can include treating the risks by implementing improvements, transferring them by insurance or by employing security services, or tolerating them; even tolerated or accepted risks need detection and recovery strategies.
The cyber security market typically offers technology-based solutions and gadgets focused on IT, but cyber risk is a board level responsibility beyond the IT department and starts with education and training followed by clear processes and procedures. People are the strongest defence and weakest link of cyber security and supply chains. Doing the basics right will protect any organisation from 80% of the cyber attacks that are most common.
Like in any risk management strategy, the key term is resilience. Cyber resilience starts with planning to, and being able to, recover. If this fails, then responding to a cyber incident is like first aid; it is crucial to prevent further damage before starting to rebuild.
Once a situation is quarantined and stabilised then an organisation will have to start rebuilding from a last known and trusted state, while capturing the evidence of what happened for investigative purposes. Remember to consider the interests of those people and organisations that could have been affected.
Government-backed “cyber essentials” is a good baseline for cyber hygiene and basic controls; it’s obligatory for anyone wishing to contract with the MoD. Other frameworks are available, for example GCHQ’s 10 steps to cyber security, however they don't yet have a widely recognised “badge”.
Some data owners will have legal security obligations such as PCI-DSS. Standards can also be usefully used within supply chains to ensure end to end security between different businesses. ISO 27001 or ISF maturity models are worthy enterprise standards.
About the author
Mark Smyth-Roberts is a Director at C3IA Solutions Ltd, one of GCHQ’s Certified Cyber Security Consultancies. He is also a volunteer with the Gloucestershire Police and Chairman of the Gloucestershire Safer Cyber Forum. Together with his colleagues, Mark is committed to raising the general level of awareness and confidence in cyber security matters as well as delivering services to improve the resilience of customers.