Issue 1 2019
28 CORPORATE VISION / Issue 1 2019 , By AndrewVermes, Specialist Consultant at Kepner-Tregoe (www.kepner-tregoe.com) Cyber-Attacks: Responding in Crisis The biggest problem with cyber-attacks to- day, is that they come without warning, when you least ex- pect it and they cause havoc and irretrievable reputational damage in their wake. We saw it recently with Marriott Hotels, an unknown extent of data breach and one where the repercussions may be felt for many years to come. Even today, scammers are making use of personal data that was acquired after a Yahoo! data incident that occurred many years ago, where email details and passwords were lost. The truth is, these kinds of details are available on criminal exchanges for cents per ID, and the impact and losses continue today. Large scale cyber-attacks for big hotel groups like Marriott can have the same impact as a burglar gaining access to a residents’ room and because the details can be used for years to come, claims from affected consumers can continue for a long time and potentially run to billions of dollars. Worst of all the downside risk is not really calculable and a brand in this situation can only hope that banks, credit agencies and the general public themselves will do enough to limit the damage. The largest threat today is users Many authorities believe that the largest threat to cyber-security is users and their lack of attention to detail. It seems unbelievable that so many people still use basic passwords in many instances. Despite the numerous warnings and the security training many of us have today, people still open links in scam emails daily and they allow the use of unknown flash drives. We all live busy lives and often that is how the small details are ignored or missed. Consider this scenario: a user sees the dreaded blue screen. Rather than reporting an incident, he reboots his system and carries on. A couple of days later it happens again and again twice the following week. Finally, one morning the laptop refuses to start up. After MIS have taken it away, they report that they found 320 instances of malware on the laptop. Were there any signs? A degree of IT hypochondria would serve many firms well. Preparing for the possibility of a hack is vital and any business with information that interacts with the outside world via the internet is always vulnerable and all large businesses have several layers of security detection and elimination. Jumping to the wrong conclu- sion Multiple reporting tools will flag up any unusual attempts to access data. Multiple defence tools are also used to isolate malware and kill it quickly and those tools are usually kept updated by an army of expert developers and security vendors who are watching what the hackers are up to. Likewise, in every bank today, there are many hundreds, probably thousands, of attempts to hack into systems every day. The vast majority of hack attempts are taken out by a first line of defence and those that make it to a second line, will be investigated thoroughly and the tools updated accordingly. Encryption software is big busi- ness today and predicted to grow to over $12bn by 2022. Some of this effort has been accelerated by the GDPR regulations: not only do firms face enormous reputational damage, but the EU fines regime means that the penalties for losing data are much bigger, up to €20m or 4% of global turnover (which- ever is larger). For Marriott, that fine could amount to as much as $900 million, though they may fall outside EU rules. When a cyber attack happens, there are a number of common mistakes that business make. As with other incidents, they may be too quick to jump to a conclusion i.e. we found the malware, we killed it, job done. However, if one fails to analyse the exact behav- iour of the malware and show how that could have caused the specif- ic alert that was noticed, one may also be overlooking a second or third software agent that’s hiding behind the first obvious attack. Hackers can only take what is available Going off track during a crisis is commonplace, sometimes the issue starts way before the attack, for example GDPR has given European firms a jolt and made them think about how much personal data they really need to hold. Hotels may need to check the passports of foreign guests, but do they really need to keep those details on file? We as consumers continue to reach for the convenience button too and often allow providers to store our credit card details for the next time. Are we happy to allow those leaky computer systems to keep that data on file, or might we be safer spending the additional five seconds to enter the numbers each time we make a transaction? Hackers can only steal what’s there after all. Another contributing factor is the desire of the attacked company to keep quiet about what happened. In some scenarios it is possible that data encryption has prevent- ed the hackers from making any use of stolen details so you can understand the desire to avoid adverse publicity. Having said that, hiding (even for a short time), is not only unwise, but under EU rules, also illegal. Take control of the crime scene If a cyber attack strikes, when addressing the problem, the most important thing is to pay attention to the precise behaviour of the system or database at the moment the breach is noticed. The principles are just like a crime scene: you have to notice which way the body is lying and the angle the bullet entered in order to build the investigation. So the questions are: How exactly was the breach noticed? In what way was the system behaving unusu- ally at that time? Responding quickly while under pressure can be difficult, but one positive example this year came from American Express, following the BA hack: within a day, the company had contacted all of their card users and said they had started enhanced monitoring to protect them from unusual trans- actions and also that they would cover any losses their customers
Made with FlippingBook
RkJQdWJsaXNoZXIy NTY1MjM3