The enduring impact of cyber crime

Cyber crime attribution and remediation are barriers to business-as-usual

Cyber crime is no longer a concept reserved for the latest thriller.

Cyber crime has become a very real threat for the UK economy as a whole, and as the landscape continues to become more complex, hackers are able to develop new and innovative ways to access data.

As we take strides towards a more technologically advanced world, the problem seems like it will only get worse. The step change towards technological advancement and the exposure posed by outsourced arrangements, cloud computing and digitisation only creates a bigger hunting ground for these new age criminals. Some reports show that a staggering 40% of security breaches are now indirect, as threat actors target the weak links within software supply chains or the wider business ecosystem.

The recent cyber attacks on the Guardian and Royal Mail are both shocking and grounding at the same time. Whilst there is a well-known fear around the risk of cyber attacks and the increasing levels of sophistication, this fear has become a very public reality. We all knew it was going to happen…it was just a question of when. The next question is: who's next?

It is unfortunately a further call to reality that hackers do not have moral boundaries and can target institutions with maximum public impact. There have been examples of hackers specifically targeting organisations to disrupt service, and also examples of hackers targeting organisations holding sensitive information about members of the public. Attackers look for any opportunity to steal data, plant ransomware, or install evasive malware for longer terms campaigns to achieve their end-goals.

Hackers are undeniably criminals, and perhaps the biggest fear is that this type of criminal is about as easy to hunt down as a ghost. Unfortunately, in the world of cyber criminals ghosts are not a thing of fiction, and these white-collar predators rarely leave a DNA trail behind.

In the short term, a denial of service attack or extortion campaign could cost an organisation millions of pounds, even before factoring in reputational damage and the potential cost of a ransom. Given the very public impact of cyber crime, and the implications of not being able to contain an attack, it is likely to take a longer period of time before an exposed site can be put back online and business-as-usual can continue.

When it comes to a ransom, it is exactly as the fictional novels depicted. Organisations can expect cryptic messages from an anonymised source, and often it is apparent that grammar and spelling were not a top priority. The challenges with paying a ransom fall into three broad categories:

1. Deciding whether the ransom should be paid, and getting key decision makers to reach agreement.
2. Facing the concern that paying a ransom could breach sanctions, contribute to illegal activity and facilitate financial crime.
3. Lacking certainty on whether paying a ransom means all of your data will be returned, and never knowing whether your data has been subject to copy and onward distribution.

The short-term implications, whilst hugely disruptive, are not even close to the long-term damage that may have been caused, depending on the type of data that has been exposed by the crime - which can include commercially sensitive information, as well as personal data belonging to customers or staff.

Along with customers and staff of the targeted organisation having to face the worrying fact that their personal details, such as their name, address, salary and passport number, are now in the hands of a cyber criminal, there is also no certainty of where that data will end up, how it will be used, and what may happen. This is both a scary thought and a chilling reality that many are already facing.

In addition to the clear litigation risk that impacted organisations may now have to deal with in the coming months and years, and in some cases can only anticipate, this is also a case of looking over your shoulder for the individual customers or staff concerned, given that once the data is leaked, it is out there and can be misused at any time and in multiple ways.

The harsh reality is that most organisations could easily find themselves as a victim of cyber crime. The UK government states that 'doing nothing is no longer an option'.

The key is to be resilient, and there are some proactive steps that can be taken:

• Building a defence with people and awareness: Getting people to be part of the solution to securing access, rather than being part of the problem.
• Process defences: Establishing repeatable best practices that naturally build security into the organisation. This should also be linked to general data governance controls.
• Technology defences: Implementing security solutions, specifically those securing access and identity through preventative controls and detective controls, that work with other components to optimise protection and productivity.
• Penetration testing: Treating cyber risk as an operational risk and ensuring that the design of the control framework and its effectiveness are regularly tested. Testing plans should also build in realistic worst case scenarios and stress tests.
• Development of early warning mechanisms and monitoring: Preventing, detecting or disrupting an attack at the earliest opportunity limits the business impact and the potential for reputational damage.
• Readiness testing, recovery plans and rehearsals: This includes planning out response and recovery capability across business and technical skillsets within the organisation, to ensure that the right people and decision makers are well versed and organised from the outset if a cyber attack were to occur.

Nisha Sanghani is a Partner at Ashurst Risk Advisory.