“There are only two types of companies: Those that have been hacked and those that will be hacked.”
“There are only two types of companies: Those that have been hacked and those that will be hacked.” Robert S. Mueller, III, Director FBI made this famous quote but almost by the time he made the quote it was out of date – it should be ‘There are only two types of companies: Those that have been hacked and those that don’t know they have been hacked.’
The message is that no one and no company is immune from cyber attacks – even Byronvale Advisors! Recently one of our computers got a virus resulting in an ‘unusual’ emails being sent to people – some known and some unknown (our sincerest apologies). While highly annoying and embarrassing there were lessons to be learned.
Lesson 1 – what is the new ‘normal’
The world and environment which business operates is changing at lightning speed. Defending against cyber threats is no longer sufficient. Even though it slows our systems down Byronvale Advisors runs a dynamic virus protection software on its computers. In addition Byronvale Advisors runs a secondary daily scan. The traditional protect and control mentality though is no longer sufficient – attackers have increasingly turned to exploiting people and not just technology.
Lesson 2 – IT security needs to focus on the response rather than the protection
Spending time on creating an impenetrable barrier to cyber attacks is no longer sufficient. Companies need to prepare for the inevitable reality that they will be attacked. You may ask these questions in anticipation of an attack
- Do you know what you have that others want?
- Do you know how your business plans could make these assets more vulnerable?
- Do you understand how these assets could be accessed or disrupted?
- Would you know if you were being attacked and if the assets have been compromised?
- Do you have a plan to react to an attack and minimise the harm caused?
If the answer to any of these questions is “no”, that is where to focus cyber security and where changes need to be made.
Lesson 3 – People are your biggest strength and biggest weakness
No matter how good or strong your technology defences are – firewalls, anti-virus software, intrusion detection systems, or how robust your internal controls and processes are your staff remain the weakest link. It is analogous to driving a car – there are road rules, line markings, warning signs – or policies and procedures – and yet people still ignore them or disregard them. There is no security patch for stupidity – either deliberate or not.
So why are companies targeted – especially small companies which may only have a little general information on their website or in their systems? Well most companies have more information than they realise – and a few large company attacks gives an insight in the type of information cyber criminals are after.
- Sony – 47,000 records stolen with proprietary and employee details (employment, health and emails). Sony initial costs were over $100m (reduced to $15m after insurance payout), but resulted in an 11% sales decline and 7% fall in share price. Co-chairs resigned after ‘racist’ and other offensive emails released.
- Home Depot – 56 million credit card numbers and 53 million email addresses stolen – cost Home Depot $109m to fix
- JP Morgan – email addresses and physical address of 76 million households and 7 million small businesses costing JP Morgan $83m
- EBay – hackers took customers’ personal information affecting 145m active users. Cost to EBay was $145m
- Target (US) – hackers stole credit card details. Credit card issuers had to reissue credit cards costing them $200m. The mid-range ‘price’ per credit card on the black market was estimated at $26.85 – so generated the cyber criminal $53.7m for six months work. The CIO, CISO, and CEO all lost their jobs and seven of ten Directors were pushed for re-election for failing to provide sufficient oversight.
The above cases also highlight three important facts about cyber breaches. Firstly 69% of all cyber breaches the victims are notified by an external entity. For example a victim may receive a ransonware message from the criminal, or have people calling and advising the company, or customers querying suspicious transactions on their credit cards. Second, the median number of days that a threat is present on a network to its earliest detection is 205 days (source Madiant M-Trends). The longest known threat present is 2,982 days. The cyber criminal is patience, watching and waiting, gathering information and preparing for the greatest impact. Thirdly, poor handling of cyber incidents (both internally and externally) have led to harsh impacts on many companies.
I was going to write about some common ways cyber attacks are carried out but it is almost the case that they would be out-of-date by the time this blog it posted. But cyber crime is big – it is the new ‘drug’ for organised crime. It is less labour and physical inventory intensive than any actual drug, can be carried out anywhere and anytime, and is easily scalable. If it hasn’t already cyber crime will surpass any other organised crime activity.
My advice, and one takeaway though is – be aware, be mindful, and be prepared. It is not a matter of if you will be a victim of a cyber attack, but when (if you haven’t already). Prepare yourself for this unfortunate reality.
The information given above is not to be considered as advice and is general in nature. No information should be accepted as authoritative advice and any reader wishing to act upon the material contained in this blog should first seek properly considered professional legal or accounting advice, which takes into account their specific situations.
Thanks to the EY Cyber team with help with some of the information above