Andy Barratt – UK managing director at cybersecurity consultancy, Coalfire
When it comes to cyber failures, it’s the big names that make the news. It seems that almost every other day we hear about the latest multi-national bank or business falling foul of yet another attack.
In the past few months, IT malfunctions and cyber-attacks have led to widescale disruption that has caused household-name brands to axe their senior leaders, share prices to plummet and panicked customers to re-secure their online accounts.
The IT saga that surrounded TSB this summer was a perfect example of a big business causing itself unnecessary disruption through poor risk management. Customers were left unable to access any of their online accounts for weeks after TSB attempted to migrate client details from an existing IT platform to that of new owners, Sabadell. Later, when IBM was called in to restore order, it quickly became clear that TSB had not tested the process adequately enough beforehand, failing to ensure the smooth transfer of data from one platform to another.
In the weeks that followed, the Financial Conduct Authority (FCA) accused the bank’s leadership of ‘portraying an optimistic view’ of the issue and failing to provide the public with a clear picture of what had happened. Customers, MPs and journalists called for the bank to be more transparent and criticised its failure to get to the root of the problem quickly enough.
Logic would suggest that big businesses with extensive resources would have top class cyber security measures in place, so the question remains: ‘How could a bank like TSB with presumably vast resources experience such a catastrophic malfunction?’
The answer is that, despite having bigger budgets and better resources, large enterprises are often not the best prepared to protect themselves against cyber risk. A recent Penetration Risk Report conducted by Coalfire illustrated this point. We found that, on the whole, larger institutions open themselves up to greater risk than their mid-sized competitors who have found the ‘sweet spot’ despite having smaller budgets.
The inaugural study tested the cyber defences of various sized enterprises across sectors including financial services, retail, healthcare, and tech and cloud services. The research involved simulating planned cyber-attacks against the businesses (a practice known as penetration testing) to identify weak spots in their security armour.
Financial services organisations fared better than most but, even in this comparatively well-performing sector, we found that large enterprises were not the most secure.
While it’s worth noting that TSB’s issue was not caused by malicious intent or outside interference, the incident highlighted a disturbing lack of understanding running throughout the business that is indicative of how large corporations expose themselves to risk.
Change the culture from within
Although it may be unreasonable to expect the CEO of every UK bank or FTSE 100 business to be an expert on IT or cybersecurity, ultimately the buck stops with them. This was the case for Paul Pester who lost his job when questions about TSB’s leadership and its competency remained despite his many apologies.
If business leaders want to keep their seats at the boardroom table and help protect their organisation from cyber criminals, they must nurture a positive atmosphere where threats aren’t taboo. Too often in larger enterprises there’s a culture that problems are kept from the board’s attention. Risks are swept under the rug in the hope that they don’t come back to bite.
This mindset where boards are kept in the dark stems from a culture of blame that often filters down from senior levels and can cause untold damage in terms of preventing and managing risk. To reduce the frequency of damaging IT meltdowns we must banish this outdated mode of thinking and move to an environment where staff feel comfortable elevating issues to management, so they can be tackled at the root and not simply patched up.
No senior spokesperson wants to be left facing a media firing squad without a deep-rooted understanding of the issue (even if some details aren’t for sharing externally). One example of a business leader correctly confronting the issue head on was British Airways’ chief executive Alex Cruz when cyber criminals stole the financial details of 380,000 BA customers. This constituted a massive breach with huge implications for the airline and the industry, but the airline boss rapidly communicated a detailed understanding of the problem to its customers and the media – going some way to diffusing the situation and buying the business time to put things right.
So what should business leaders be doing to improve their understanding of the risks facing their business?
Be aware of your cybersecurity Achilles’ heel
For firms to successfully manage risk, it’s important to understand that mistakes will happen. Always prepare for the worst-case scenario and how that might come about. Across all sectors, people remain a company’s biggest weakness – and this risk is amplified as the size of the workforce increases – whether through human error or by creating opportunities for social engineering hacks.
Accountancy giant Deloitte found out just how true this can be when hackers breached their security systems and accessed confidential data via an administrator’s account which had only single-factor authentication in place.
Training staff on the importance of strong passwords and knowing how to spot common phishing attacks (where hackers pose as a trustworthy entity in order to obtain sensitive information such as usernames and passwords) is key in helping to prevent this kind of breach. The investment is usually easy to justify when offset against the potential cost of a breach.
Think outside your four walls
Larger businesses and banks also put themselves at risk when they work with partners whose security systems are not of the same standards or accountable to the same regulatory pressures. Vulnerabilities of this kind enable cyber attackers to infiltrate an organisation via its supply chain. Out-of-date software, insecure protocols, misconfigurations, password flaws and patching errors all contribute in weakening the chain’s defences.
The breach that Ticketmaster suffered this summer was likely a supply-chain attack that occurred when a member of the company’s in-house team accidentally re-purposed a piece of code from the website’s external chatbot operator. This created a window for an opportunistic hacker to install malicious software that gave access to millions of customers’ names, addresses, emails, telephone numbers, payment and login details.
The breach suffered by British Airways was likely a similar attack where customer information was extracted online by a malicious piece of stowaway code at the point of entry. Like financial service providers, airlines are particularly vulnerable in this way as they frequently rely on complex infrastructures, including shared airport services, booking agents, aggregators and global distribution systems – many of which simply don’t meet the security compliance rules we set here in the UK.
For businesses of this size, resilience in the face of an attack is the modern approach. It’s always possible to assume that someone will find a way in but responding to that attack quickly will reduce loss and minimise reputational damage.
Keep in mind increased financial implications
Tesco Bank was recently fined £16.4 million following the breach it suffered in 2016. In what was a largely avoidable attack, cyber criminals were able to secure £2.26 million of customer money during the 48-hour incident. Tesco Bank has already paid £2.5 million in compensation to the nine million customers whose accounts were compromised. Initial reports suggested that the FCA was considering imposing fines of over £30 million had Tesco not provided them with such high levels of cooperation and agreed to an early settlement.
Tesco, alongside most other corporations mentioned in this article, was fortunate in that the breaches and IT failures it experienced happened before the arrival of GDPR earlier this year. British Airways, however, was not quite so lucky. If it is found to have failed in its duty of care to take technical precautions to protect its customers’ data, it could find itself facing a fine of almost £500 million, as new rules mean a business can be fined as much as four per cent of its turnover.
With this in mind, it’s clear getting it wrong when it comes to cyber is something that companies can simply no longer afford.