Data Security – How Confident Are You?
March 26, 2019
The cyber threat to businesses is significant, and with the digital environment constantly evolving and attackers becoming more sophisticated and determined, maintaining a high level of cyber security within your organisation is imperative.
According to the Cyber Security Breaches Survey 2018, 42% of businesses experienced a cyber security breach in the last 12 months of the survey being published; and according to McAfee’s Economic Impact of Cyber Crime, 780,000 records were lost per day in 2017
For sectors built on trust and confidentiality, such as those within the legal and financial services sectors, a data breach could signal the end of the line as organisations struggle to keep existing customers and acquire new ones. Failing to protect confidential and personal data can severely damage a company, as Yahoo discovered the hard way, after losing $85 million because of a data breach which compromised three billion accounts.
Source: Breach Level Index as of February 2019.
Data Breach Targets
Businesses across all sectors are at risk of a data breach, but those most vulnerable include those within the manufacturing; legal; financial services; and retail sector, due to the sensitive and classified information held.
We live in a hyper-connected world which is increasingly complex – it is by understanding the biggest risks to your sector, that you will understand the most effective ways of managing those risks.
Loss of sensitive data, manufacturing espionage and disruption of access, through tactics such as Distributed Denial of Service, can all be a result of successful exploitation.
According to EEF and AIG and The Royal United Services Institute (RUSI), the manufacturing sector is now the third most targeted for attack. Alongside this, two-thirds of manufacturers admitted they are not insured against cyber attacks. Keeping Intellectual Property (IP), and classified information safe is critical to stay ahead of the competition, and investment in cyber security will reduce the likelihood of an attack taking place.
As a sector that thrives on confidentiality, loss of client information can leave lasting damages. Top threats to the legal industry include fund transfer fraud; ransomware; malicious insiders; w-2 phishing scams; and data breaches.
In a 2018 report by, The National Cyber Security Centre (NCSC), insiders were revealed to cause over half of data breaches. The NCSC also reported that, according to Action Fraud, from March 2016 to March 2018, 18 law firms reported hacking attempts. The legal sector will remain an attractive target for cyber criminals because of the wealth of sensitive information the legal sector can offer, including material on mergers and acquisitions.
The financial services sector is built on trust, and a successful data breach can result in customers cutting all ties with that organisation. Distributed Denial of Service (DDoS) and social engineering, such as spear phishing, are just a couple of ways cyber criminals can gain access.
UK Finance, which represents just under 300 leading firms, claims that cyber security is now second only to political risk as one of the main challenges facing the UK financial sector. Due to the potential value of information within financial IT systems, the industry will remain one of the most popular targets for cyber criminals.
According to a 2018 report by Trustwave, the retail industry was the most compromised sector for the fifth consecutive year, with main tactics being phishing, point-of-sale breaches and card data interception attacks.
It was only a month after the GDPR came into fruition, that Dixons Carphone Warehouse hit the news after it fell victim to a cyber-attack, which compromised personal details of 10 million customers and 5.9 million payment cards. The new regulation means that the company could be fined up to £500,000 for the breach. Because of the vast amounts of financial data being processed by payment and retail vendors, the industry will continue to be a prime target for online criminals.
Consequences of a Data Breach
Organisations in all industries are becoming heavily dependent on IT and technology and because of this, are falling victim to cyber attacks. The consequences of a data breach can be critical and have long-lasting effects, including financial repercussions and reputational damages.
A study carried out on a group of companies that experienced a data breach of over a million records, found that 62% of Americans would stop buying products from a company for several months following a data breach. Four major data breaches over the past five years include WannaCry; Paradise Papers; the Marriott breach; and the BA data breach.
The WannaCry hack, which took place in May 2018, targeting hospitals across the UK, has left the NHS £92 million out of pocket. The attack, linked to North Korea, caused more than 19,000 appointments to be cancelled; and locked out 200,000 computers with red-lettered error messages demanding the cryptocurrency Bitcoin. Following the attack, the NHS was condemned for using outdated IT software, including Windows XP, which because of its age makes it vulnerable for attack. Alongside the NHS, Renault and FedEx were also affected.
British Airways (BA) fell victim to a malicious data breach in September 2018, after personal and financial details of customers making and altering bookings had been compromised. In total 382,000 transactions on its website and app were compromised, in the 15-day data breach. Following the
In November 2018, a data breach on the Marriott hotel chain had left the records of 500 million guests exposed. The breach, believed to be carried out as part of a Chinese intelligence-gathering effort, exposed guest’s names, addresses, phone numbers, email addresses, passport numbers, personal hotel account information and reservation information. The breach could cost Marriot up to $200 million in costs, including fines and court-related expenses.
The financial and reputational impact of a data breach on a law firm can be substantial. One well-known example of this was the cyber attack on
Data Security Weaknesses
We believe the industry is currently being propagated by ‘threat-mania’ – not all threats are relevant to all organisations – it’s about identifying specific business risks. Underestimating exposure and vulnerabilities in external relationships; lack of cyber security training for employees; and a lack of security incident response plan can all lead to a data breach.
Following research on the matter, it is clear that the majority of breaches are caused by criminals but due to inappropriate data handling policies and procedures, careless data handling and low data security awareness, accidental data breaches aren’t far behind.
As you can see above with these examples of noteworthy data breaches through the years; common causes of breaches include weak and stolen credentials; malware; social engineering; unsecured networks; and insider threats – which are malicious threats to a business stemming from someone within that business, this can be a current or former employee or an associate with inside knowledge.
Zero-Trust Approach to Data Security
At Secrutiny believe in a zero-trust approach to data security, a term first coined by Forrester; whereby you assume that everything is untrusted, regardless of whether they are inside or outside the perimeter (aka Secure Circle), and all data must be protected by default. Unlike existing data security solutions, this approach protects data at all times, whether it is in use, transit or rest, without affecting the end user’s workflow.
This approaches data protection and monitoring enables your organisation to easily follow security standards for data storing, processing and transmitting data. As well as providing a securer environment, the zero trust way of thinking has a proven track record of reducing time to breach detection; alongside reduced IT complexity; less management and skill-sets requirements; and a high-ranking end-user experience.
Check Out Our Other Recent P
Malicious actors continue to exploit Remote Desktop Protocol (RDP) to gain access to the target computers. Mitigate your exposure now.
Microsoft has officially dropped its 60-day password expiration policy from its security baseline, following May’s Window’s 10 updates.
Microsoft has released fixes for a critical Remote Code Execution vulnerability, CVE-2019-0708, in Remote Desktop Services.