Data Security – How Confident Are You?

March 26, 2019

The cyber threat to businesses is significant, and with the digital environment constantly evolving and attackers becoming more sophisticated and determined, maintaining a high level of cyber security within your organisation is imperative. 

According to the Cyber Security Breaches Survey 2018, 42% of businesses experienced a cyber security breach in the last 12 months of the survey being published; and according to McAfee’s Economic Impact of Cyber Crime, 780,000 records were lost per day in 2017

For sectors built on trust and confidentiality, such as those within the legal and financial services sectors, a data breach could signal the end of the line as organisations struggle to keep existing customers and acquire new ones. Failing to protect confidential and personal data can severely damage a company, as Yahoo discovered the hard way, after losing $85 million because of a data breach which compromised three billion accounts.

Source: Breach Level Index as of February 2019.

 

Data Breach Targets

Businesses across all sectors are at risk of a data breach, but those most vulnerable include those within the manufacturing; legal; financial services; and retail sector, due to the sensitive and classified information held.

We live in a hyper-connected world which is increasingly complex –  it is by understanding the biggest risks to your sector, that you will understand the most effective ways of managing those risks.

Manufacturing

Loss of sensitive data, manufacturing espionage and disruption of access, through tactics such as Distributed Denial of Service, can all be a result of successful exploitation. 

According to EEF and AIG and The Royal United Services Institute (RUSI), the manufacturing sector is now the third most targeted for attack. Alongside this, two-thirds of manufacturers admitted they are not insured against cyber attacksKeeping Intellectual Property (IP), and classified information safe is critical to stay ahead of the competition, and investment in cyber security will reduce the likelihood of an attack taking place. 

Legal

As a sector that thrives on confidentiality, loss of client information can leave lasting damages. Top threats to the legal industry include fund transfer fraud; ransomware; malicious insiders; w-2 phishing scams; and data breaches. 

In a 2018 report by, The National Cyber Security Centre (NCSC), insiders were revealed to cause over half of data breaches. The NCSC also reported that, according to Action Fraud, from March 2016 to March 2018, 18 law firms reported hacking attempts. The legal sector will remain an attractive target for cyber criminals because of the wealth of sensitive information the legal sector can offer, including material on mergers and acquisitions. 

 Financial Services

The financial services sector is built on trust, and a successful data breach can result in customers cutting all ties with that organisation. Distributed Denial of Service (DDoS) and social engineering, such as spear phishing, are just a couple of ways cyber criminals can gain access. 

UK Finance, which represents just under 300 leading firms, claims that cyber security is now second only to political risk as one of the main challenges facing the UK financial sector. Due to the potential value of information within financial IT systems, the industry will remain one of the most popular targets for cyber criminals.

Retail

According to a 2018 report by Trustwave, the retail industry was the most compromised sector for the fifth consecutive year, with main tactics being phishing, point-of-sale breaches and card data interception attacks. 

It was only a month after the GDPR came into fruition, that Dixons Carphone Warehouse hit the news after it fell victim to a cyber-attack, which compromised personal details of 10 million customers and 5.9 million payment cards. The new regulation means that the company could be fined up to £500,000 for the breach. Because of the vast amounts of financial data being processed by payment and retail vendors, the industry will continue to be a prime target for online criminals. 

Consequences of a Data Breach

Organisations in all industries are becoming heavily dependent on IT and technology and because of this, are falling victim to cyber attacksThe consequences of a data breach can be critical and have long-lasting effects, including financial repercussions and reputational damages.

A study carried out on a group of companies that experienced a data breach of over a million records,  found that 62% of Americans would stop buying products from a company for several months following a data breach. Four major data breaches over the past five years include WannaCry; Paradise Papers; the Marriott breach; and the BA data breach.

NHS

The WannaCry hack, which took place in May 2018, targeting hospitals across the UK, has left the NHS £92 million out of pocket. The attack, linked to North Korea, caused more than 19,000 appointments to be cancelled; and locked out 200,000 computers with red-lettered error messages demanding the cryptocurrency Bitcoin. Following the attack, the NHS was condemned for using outdated IT software, including Windows XP, which because of its age makes it vulnerable for attack. Alongside the NHS, Renault and FedEx were also affected.

British Airways

British Airways (BA) fell victim to a malicious data breach in September 2018, after personal and financial details of customers making and altering bookings had been compromised. In total 382,000 transactions on its website and app were compromised, in the 15-day data breach.  Following the breach cyber security firms discovered that stolen data from the attack, which had been linked to Russian hackers,  had been found for sale on the dark web for as little as £6.95.

Marriott

In November 2018, a data breach on the Marriott hotel chain had left the records of 500 million guests exposed. The breach, believed to be carried out as part of a Chinese intelligence-gathering effort, exposed guest’s names, addresses, phone numbers, email addresses, passport numbers, personal hotel account information and reservation information. The breach could cost Marriot up to $200 million in costs, including fines and court-related expenses.

Paradise Papers

The financial and reputational impact of a data breach on a law firm can be substantial. One well-known example of this was the cyber attack on law firm, Appleby, otherwise known as, Paradise Papers.  The leak of 13.4 million confidential files to German reporters back in 2016, exposed offshore investments belonging to some of the world’s wealthiest citizens, including The Queen, Bono and members of Donald Trump’s cabinet.

Data Security Weaknesses

We believe the industry is currently being propagated by ‘threat-mania’ – not all threats are relevant to all organisations – it’s about identifying specific business risks. Underestimating exposure and vulnerabilities in external relationships; lack of cyber security training for employees; and a lack of security incident response plan can all lead to a data breach.

Following research on the matter, it is clear that the majority of breaches are caused by criminals but due to inappropriate data handling policies and procedures, careless data handling and low data security awareness, accidental data breaches aren’t far behind.

As you can see above with these examples of noteworthy data breaches through the years; common causes of breaches include weak and stolen credentials; malware; social engineering; unsecured networks; and insider threats – which are malicious threats to a business stemming from someone within that business, this can be a current or former employee or an associate with inside knowledge.

Identity-Centric Approach to Data Security

Secrutiny believe in an identity-centric approach to data security:  

  • Unlike existing data security solutions, protection is not defined by device or network or location or data classification but by user groups and identities.
  • No longer are we looking at files, but the data itself. If we look at data then it doesn’t matter where it goes, or in what format, because the data inherits the previous protection.
  • As the approach is built upon data rather than file classification, the system can discover data across the enterprise, this is how we bring sensitive data back under control.
  • An identity governed approach does not change how the user interacts and collaborates.

Check Out Our Other Recent Posts >

London Breakfast Briefing – Achieving Prioritised Cyber Risk Management
London Breakfast Briefing – Achieving Prioritised Cyber Risk Management

Secrutiny is hosting an intimate breakfast briefing for cyber security leaders in London on Thursday, 28th November. Join us to discover how, with a bit of extension and instrumentation, the ecosystem of controls that you already have can form the basis of an evidential, prioritised cyber risk management programme. Learn more and register…