Written by Nick Martindale
The National Risk Register now cites cyber attack among the key threats that government and business should consider when preparing for risk mitigation. Nick Martindale considers the current risk level
A series of scandals throughout 2007 and 2008 seriously undermined confidence in the way the UK government treats sensitive data. Circumstances leading to the various losses were erratic – disks mislaid by couriers, laptops left on trains and discs going AWOL in the post – and the outcomes varying degrees of risk to national security, huge embarrassment for the government, and millions of people left open to identity theft.
It is not just the loss of physical storage devices that need worry risk managers, however. A 2009 survey by Symantec of over 2,000 businesses and government agencies from 27 countries found that three quarters of them had been the victim of a cyber attack. The internet security firm says cyber attacks cost businesses an average of US$2m a year.
The threat to both personal data and the national infrastructure posed by cyber attack is now so intense that it features on the government’s National Risk Register. “Cyber attack may be used more widely by different groups or individuals with various motives,” states the register. “IT systems in government departments and various organisations have been, and continue to be, attacked to obtain the sensitive information they hold. Some of these attacks are well planned and well executed; others represent relatively unskilled hackers.”
Governments, in particular, face challenges when it comes to ensuring the safety of sensitive data, according to Richard Bultitude, forensic technology manager, restructuring and recovery, at Baker Tilly LLP.
“A particular challenge is not necessarily the type of data that is held, but the volume and number of people who require access to it,” he says. The proposed national identity card database was a case in point, with 256 government departments and 48,000 private sector companies intended to have access until the scheme was recently scrapped by the coalition government.
DEALING WITH THE PROBLEM
Since 2008, the UK government has conducted a thorough review of how it handles data – both in the virtual world and physically – and has implemented “substantial changes” as a result, including the establishment of the Office of Cyber Security and the Cyber Security Operations Centre to tackle the problem of online attacks, following the publication of the cyber security strategy in June 2009.
“Cyber crime presents criminals with relatively low-risk, large-scale opportunities,” says Steve Marsh, a spokesperson for the Office of Cyber Security within the Cabinet Office. “It’s a big issue, as ICT provides a primary mechanism for reducing the cost of public administration and it has become more pressing as more services go online. As with large private sector organisations, the risks include direct fraud and theft, disruption to operations, reputational damage and loss of confidence of the public.”
While the public sector is an obvious target for both opportunist hackers and more sophisticated terrorist or state-sponsored cyber crime, this kind of activity is by no means confined to government circles.
In January of this year more than 30 large organisations, including Intel, Google and Adobe, were targeted by cyber criminals seeking intellectual property and information that could be sold on to the black market economy, while a month later 2,500 companies were targeted by hackers in Europe and China using login information from social networking sites to access corporate data.
“Attacks on businesses and government alike are commonplace and increasingly sophisticated in nature,” says Jay Abbott, director of threat and vulnerability management at PricewaterhouseCoopers (PwC). “A lot of the more sophisticated attacks seen today exploit the weakest denominator in the equation: people.
“Attackers make use of reconnaissance techniques and social engineering to identify targets that can easily be compromised, then make use of sophisticated electronic attacks such as zero day exploits to gain a foothold within the target organisation. From here they can build a robust base from which to expand and maintain their access, so as to prolong the exposure and continue to extract information over long periods of time, usually undetected.”
But despite the increasing prominence placed on cyber attacks and other fraudulent attempts to access data, many businesses still fail to incorporate these into their risk strategies, says Abbott. “Often organisations forget to think like the bad guys,” he says. “Whether you are pulling together a controls strategy, or information governance framework, there is a need to think about the data you have, what its black market value is, who would potentially want it, and how they could get it.”
There are a range of options open to organisations seeking to protect themselves against this threat, he says, ranging from information security governance to security awareness training and the application of technical controls, but understanding the value of data – both internally and externally – is vital to shaping strategies.
Tony Neate, managing director of Get Safe Online, a joint initiative between the Government, law enforcement, businesses and the public sector, says organisations need to ensure there is adequate encryption on devices such as laptops and mobile phones should the devices be hacked into or stolen. Smart phones, in particular, could pose a greater danger in the future, as these allow users to download contacts from office computers. “Companies need to take a broader look at where they’re storing data because it may not just be on a server but also on local drives and potentially a phone, which may have no password protection on it.”
As well as ensuring online security provisions are up to scratch through effective implementation of firewalls and encryption to protect against threats such as malicious scripts and Trojans, it’s also vital to ensure that all employees are regularly reminded of the need to take precautions to protect company data.
Robert Guice, executive vice-president, EMEA, at Shred-it says computers should always be locked while individuals step away from their desks and USB sticks and computer disks tracked at all times. Sensitive documents and data storage devices such as hard drives and USB sticks should be properly destroyed before recycling, he adds.
“Unused hard drives are often forgotten but could contain a wealth of valuable information,” he says.
A SENSE OF PERSPECTIVE
Organisations must also guard against the internal threat, says Bultitude at Baker Tilly. “Too often the emphasis is wrongly placed on attacks from outsiders and not on threats that exist within the firewall, be they the malicious intentions of a member of staff or the loss of data due to inadequate internal controls,” he says. “Data should only be accessible by those who require access to it, and their ability to transfer it out of the secure infrastructure must be strictly controlled.”
The use of third-party providers should also be covered in any risk assessment, and these contractors should be subject to the same internal controls and background checks as full-time employees. “All organisations need to ensure due diligence in their outsourcing of operations, recognising that the risks to the business cannot be outsourced,” says Marsh at the Office of Cyber Security. “Appropriate procedures need to be put in place for technical, personnel and physical security, and adherence to these procedures needs to be actively monitored.”
“When working with any outsourcing organisation, look to them to provide you with independently audited evidence of their practices and procedures,” suggests PWC’s Abbott. “SAS70s, ISO27001 accreditations and regular penetration testing reports are all documents which can provide some comfort while they look after your data.”
The cost of failing to get to grips with cyber security is high. As well as the damage done to reputation and the immediate financial risk from fraud, in April this year the Information Commissioner was given new powers that could see organisations breaching the Data Protection Act fined up to £500,000.
“The government’s hope is that such huge fines will highlight just how serious a risk the loss of sensitive data poses to organisations,” says Guice. The average cost of lost customers alone following a data breach is estimated at between £10,000 and £20,000, he adds.
Yet despite this, and the greater prominence of cyber crime at board level, it’s still possible that attention will be diverted away from the fight against cyber criminals, particularly as the public sector is distracted with huge spending cuts. And that, of course, is when organisations of all types are at their most vulnerable.