Data breach for breakfast? Just how secure are your personal and business data files?
Schillings which is one of – if not the – leading reputational protection law firms in the UK, is understandably expert at monitoring the newspapers, historically for stories that may include clients or potential clients about to become known to the general public through the harsh spotlight of unwanted news. What became obvious to the firm as time moved on was how intertwined stories were becoming with technology, as stories of data leaks or breaches caused by external forces like hackers or unaware staff started to hit the newspapers more and more.
Schillings spotted the potential for tech security to have gaps and worse for companies to reveal confidential content, be beset by a data disaster, or be actively targeted by individuals wanting to look inside their companies by fair means or foul.
In the name of science, Citywealth allowed Schillings’ security unit to ‘attack’ and audit our organisation on various levels to show us what the potential was to have our data accessed. It was eye opening. David Prince, who heads up the IT security division at Schillings, was able to get through our security with some basic information given to him and access our desktop computers. He read and copied documents with passwords on them to show us he could. We asked him to go further, looking at secure outsourced systems which took a bit more skill to access and involved a bit of subterfuge. Ultimately he managed to dupe us by copying emails from our email host saying there had been a data breach, then rang our office as the host provider to confirm a data breach which resulted in the whole Citywealth office changing their passwords in a whirl of panic.
Prince says that any security for your technology has to include ‘people defence’ and that many tricks can be played by those with unlawful intent to easily access your computer network. These include throwing a usb stick with a virus on it next to the front door of your office. What would your instinct be? Would you be the do-gooder who puts the stick in your computer to see what’s on it then infecting the office? Possibly. The scenario is not too extreme. The point of the exercise is just to make you realise that we are all more susceptible than we think to being taken advantage of in a big or small way and one that could have a detrimental effect on your or your company’s financial wellbeing.
Having been through the experience and discussed the ins and outs of their service, Karen Jones, Editor, Citywealth, posed David Prince, Security Director at Schillings key questions.
Access all areas?
You say smaller companies have less to worry about with regard to hackers – i.e. those with more technology have more avenues in for hackers to exploit. What size of company does have something to worry about and should consider an audit?
Any business, irrespective of size, or sector, should be concerned about the risk of a cyber-breach. While small businesses have inherently less exposure because they have less technology, this does not mean they can afford to be complacent. Often overlooked is the stark fact that human weaknesses can often be a cause of greater vulnerability than the IT system itself. Small organisations hold an extensive amount of intellectual property and data which is highly valuable and sought after and with less emphasis on process and structure they may be more prone to using third-party software to run their businesses. The key driver for a hacker is value, not size. This makes every business a potential target.
What does an audit entail?
A cyber-breach is never convenient and can happen at any time. We believe it’s better to be prepared by starting your response to a breach before it happens. That is why we advocate regular health checks ‚Äì in order to regularly assess the threats facing your business and mitigate the risk. This is not an annual exercise, which is why we refrain from using the term audit. Instead, it’s about continuously assessing your current position, the adequacy of your controls and your ability to respond to vulnerabilities that are regularly exposed in the software businesses use.
Is it a selling point to say you have been audited and if so, why?
It’s less about being seen to have been “audited‚Äù and more to do with the practical application of the knowledge stemming from a health check. Together, these steps will provide a level of assurance to stakeholders, clients and third-parties regarding the general care and competence of a business, not to mention the importance placed on protecting client data.
Is it something a company would have to have monitored all the time?
By having the technical platforms in place to identify a potential breach, coupled with the processes to alert you to them, businesses can put in place a semi-automated system that doesn’t involve someone staring at a computer screen all day. That said, hackers are continually evolving their methods, which is why regular health checks are required to ensure your semi-automated processes are efficient when it comes to dealing with the ever evolving techniques employed by hackers.
The nature of hacking is based on the actions of an unscrupulous individual and/or individuals. While technology has an important role to play in monitoring and alerting you to a potential breach, the human factor of a business will always be crucial in dealing with the threat.
Tell us some good stories about hackers in the professional world – say a law firm or bank – that would make our readers sit up and take notice?
Earlier this year, a leading UK high street bank was hit by a significant and alarming data security breach ‚Äì the latest in a long line of high-profile data breaches to have taken place in the UK and the USA. In this case, a “whistleblower‚Äù provided a newspaper with a memory stick containing the confidential information of 2,000 customers, detailing customers’ earnings, savings, mortgages, health issues, insurance policies, passports and national insurance numbers. Whilst the initial information provided to the newspaper concerned the details of 2,000 individuals, the “whistleblower‚Äù claimed to have access to the details of 27,000.
One of the most striking aspects of this story is the fact that not only did the breach affect so many people, but that the source of the breach was not an external cyber hacker but rather a rogue employee. What this case highlights is that the actions of a single individual can have a devastating impact on the privacy of those whose data has been compromised, in addition to sullying the reputation of a business and its brand.
Another recent example involved a small, privately owned business. In this case, hackers were able to obtain the business’s client names and contact details. Using a Phishing email ‚Äì an email containing a link to a website infected with malware ‚Äì the hackers emailed the client list claiming there was an issue that required their immediate attention and directing them to the link. By clicking on the link, customers inadvertently provided the hackers with access to their personal and private data, including passwords.
A week later, the business in question was forced to issue a warning to customers, but by this time the reputational damage was already done.
Why has America seen the need for this service but the UK is slow to adopt so far?
The US may appear to have been fast to act, but we would argue that they are only 18 months ahead of the UK in terms of developing adequate business protocols when it comes to the issue of cyber liability insurance. In broader terms, UK businesses are in some cases more advanced than their US equivalents because cyber security is not so much a geographical issue, but more an industry-led issue. Take law firms by way of example ‚Äì legal professional privilege in the UK has meant that a number of firms have been proactively addressing the risks posed by a potential cyber-breach for several years now. In the case of Schillings, we’ve been doing this since 2008.
The US may also appear faster because of volume. In short, the US is 40 times bigger than the UK, so any effort on their part is going to dwarf the UK in terms of scale. However, when you place the UK within the context of the EU, you could say that as Europeans we are moving ahead of the US.
The issue of data protection regulation is changing the cyber-security landscape – whereas before businesses addressed their cyber security because they wanted to, now they have to.
Additionally, the proposal for the Network and Information Security Directive, also known informally as the Cyber Security Directive, was introduced in February 2013 with the intention of ensuring a high common level of network and information security across the EU. The proposed Directive followed hot on the heels of the announcement for plans for similar legislation across the Atlantic,
further emphasising the rise in global concern over the threat of cyber attacks on critical infras­tructure which could have potentially devastating consequences.
Obligations similar to those imposed by the Cyber Security Directive have previously been imposed in the EU on telecommunications and internet service providers. Yet the Cyber Security Directive introduces for the first time security and notification obligations on key providers of information services as well as public administrations and operators of critical infrastructure which rely heavily on information and communications technology, which are essential to the maintenance of vital economic or societal functions.
You told me some devious stories of getting into organisations like throwing a USB stick on the floor outside an office or in a reception loaded with a virus or hacking code and seeing if someone picks it up and puts it into a computer. As most people would probably do that or things along those lines because it seems a sensible idea, how do we get more wary to that fact that we are being targeted?
Years of corporate investment in cyber security can be easily put at risk by employees who lack basic training and awareness.
By way of example, there are currently Wi-Fi hotspots in operation that are designed to capture information as your employees interact with the Internet. In use by would-be and professional hackers alike, these Wi-Fi hotspots look to take advantage of employee hand-held devices or laptops that are pre-configured to automatically connect to wireless networks that have been previously accessed. Employees who choose to access the Internet via this seemingly legitimate network are inadvertently allowing unscrupulous operators, in real-time, to source their usernames, passwords, bank details and e-mail communications.
This method of gaining unauthorised access to information is just one present-day example that demonstrates the importance of cyber security and the need for businesses to invest in awareness training for employees. While Wi-Fi provides enormous convenience in our day-to-day lives, it doesn’t come without risk. Accessible from almost anywhere, whether it is the local coffee house, hotel or restaurant, the risk posed by Wi-Fi hotspots needs to be understood if you’re going to protect your business from potential cyber-crime.
No amount of technology can put a stop to these malicious tactics, although you can educate people to use technology such as 3G or 4G rather than Wi-Fi to access data as this is safer. It requires employees to play their part when it comes to minimising risk and those who have been put through their paces when it comes to information security add incredible value to any organisation’s defence strategy. Conversely, those who haven’t been trained could unknowingly expose the “keys to the kingdom‚Äù and undo years of corporate investment, all in the time it takes to drink a caf√© latte.
Quote me some facts and data about the size of this problem.
According to http://www.arbornetworks.com/ciso/eiureport:
l 83% of organisations are not prepared for cyber security incidents
l 84% of data loss incidents, initial compromise took hours or less
l 64% of data loss cases were not discovered for months or even years
l 78% of attacks were low or very low in difficulty due to a lack of adequate security
Should individuals do it as well as companies?
Yes, but we think it starts with business. Business has a responsibility to educate. To mitigate the risk of a data loss, businesses need to embrace a culture that fundamentally underpins the safe handling of information across the entire business. People are often the weak link in the chain, which is why it is important to strengthen your people defences with over-arching data protection and cyber security training programs that are engaging and relevant.
The process starts with businesses taking the lead and then talking to employees as individuals in order to change behaviours in both the corporate and personal boundaries.
If you are a high-profile person who has a public profile, whether a celebrity, entrepreneur or philanthropist you need to take precautions. There are unscrupulous people and organised crime syndicates that want to get hold of your data whether it be for blackmail, to launch a smear campaign or just to harass you.
Give me three bits of clear advice for readers on this topic that they could implement now?
Accept that you’re a target. By taking an outside view of your business and putting yourself in the mindset of an attacker you can begin to understand the rationale leading to data theft. Two key factors are considered when identifying a target: Reward and Complexity
1) Reward – know your data: By assessing the information and assets you hold within the business you can determine the true value you hold and can begin to prioritise what needs protecting the most. You cannot protect everything in the same way.
2) Complexity ‚Äì know your weaknesses: Once the value has been understood, you can assess what weaknesses exist ‚Äì which if exploited could lead to the loss of, or compromise, your valuable information. It’s critical to accept that breaches will, at some point, occur. The emphasis is no longer just on preventing data loss, but also how you respond to it.
In terms of practical steps:
1) Make sure all of your devices (phones, iPads, laptops and desktop PCs) have a password.
2) Make sure your passwords are not all the same and don’t use the most obvious. The most common password used in the world is ‘123456’. First names followed by the number 1 are also popular.
3) Never put an unknown USB key in your computer.
4) Don’t log onto unknown Wi-Fi hotspots.
5) If you receive an email containing a hyperlink, however authentic the email may appear, apply due-diligence before clicking on it – it may be a phishing email For example, browse to the website manually, instead of clicking the link.
How big a risk is staff leaving with your data? Is blogging about a company and saying they are evil for instance a bigger problem?
They are both equally sized problems. One centres on data protection and the other on reputation defence. The first being a regulation risk, the second a media risk. Together, they both pose a significant risk to reputation.
You mentioned companies merging and protecting their reputation in a deal to ensure it is effective. As a lot of companies are merging and many reports happen of them falling through, this sounds like a useful service. What would you suggest as a pre-cursor to considering a merger?
Businesses need to know where their skeletons are before a potential merger. Then they need to get their house in order in preparing for the future. This covers not just the cyber risks but also carrying out due diligence on all the executives and advisors involved in the deal. You need to know what the key individuals’ digital footprint looks like and tidy that up as well as using technology to strengthen security.
Aside from new EU regulatory reporting requirements that are due to come into play in 2016/17, how a business deals with a cyber- or data breach will act as a signifier to the markets regarding the general care and competence of the business.
When you hacked the Citywealth computers it was a lot of replicating emails from suppliers and telephoning our offices which were thought suspicious initially but with time were accepted. So how wary do we need to be? All con men have worked out tricks to catch us. Can we fool proof ourselves? Or is that what you are offering?
No system can be foolproof as they have been built by humans and so can be broken by humans. Since the dawn of man, determined individuals have gone to great lengths to get their hands on sensitive information. Today’s ‘black-hat’ hacker may be less hands-on but their motives are just as devious. With the international nature of our individual online activities meaning our data is now everywhere, coupled with our dependence on critical infrastructure that resides in the digital stratosphere, hackers possess the ability to undermine the very systems that support vital economic and societal functions.
Whether undertaken for personal gratification, notoriety, curiosity or recompense, today’s black-hat hacker uses a combination of complexity, time and risk to obtain their reward. At their most benign, they are trespassers, rummaging through private systems and databases. At their worst, they are vandals and thieves responsible for bringing down critical infrastructure, stealing intellectual property and damaging reputation ‚Äì whether it be that of a government, business or individual.
As a result, no business can fool-proof itself against the most determined hacker. Instead, it’s about businesses and their employees taking a proactive attitude towards technology. Whether it’s in the office or outside it, employees need to be aware of the threats and then take the time to think about the potential impact of their actions before they proceed.
Key to this is building awareness and a culture of curiosity. Businesses need to empower their employees by giving them the skills to assess and understand the risks associated with data-loss. This can only be achieved by regular over-arching data protection and cyber security training programs that are engaging and relevant.
How are you different to other web reputational monitoring services like reputation.com?
Schillings is not an online based reputation management firm. Whereas they’re algorithm based; we’re tailored and people led. That is not to say they don’t have an important role to play ‚Äì Schillings just operates in a different space.
Schillings is the only business in the world able to offer an award-winning defamation and privacy legal offering with Risk Consulting and Cyber Security. That’s why we’re the SWAT team that businesses call to come in and help them prepare for and deal with a breach. Operating at the speed of reputation, we know how a seemingly innocuous issue can become a media crisis very quickly and what the reputational impact can be. Because of our 30 years at the sharp end of how the press can report on a story we are best placed to advise how to mitigate damage to reputation. We are the only firm who can help businesses with the regulations and practical aspects simultaneously.
As is the case with any reputation crisis, prevention is better than cure. We help businesses to be better prepared by starting their response to an issue before it becomes a crisis. Key to this is carrying out regular health checks, helping clients’ put in place the required processes and simulating the business’ ability to respond to a crisis, whether it be cyber or otherwise.
