Technology solutions are not the only options to protect businesses from a cyber breach

Hacker

The recent hacking of a number of high-profile websites and entertainment content, such as Game of Thrones, Sony, Apple’s iCloud, British Airways, and eBay, has focused the spotlight firmly on cyber security.

Season 5 of Game of Thrones was leaked online before the first episode was shown this spring on Sky Atlantic. Although it was initially believed that the leak was due to a server breach at series maker, HBO, it was subsequently suggested that it was in fact an example of supply chain security being compromised. The entertainment industry is made up of multiple partnerships involved in different parts of the production process. Accordingly, multiple parties would have had access to the relevant ‘data’ and while external hackers could be to blame it is equally probable that employees were responsible for the leak.

The Game of Thrones leak followed close on the heels of the Sony Pictures Entertainment hacking scandal, which dominated press coverage in Europe at the end of 2014. The hacked data included confidential company emails, financial data and copies of unreleased films. This time the hack was said to have been orchestrated by an external group calling itself the ‘Guardians of Pearce’, who demanded the cancellation of the planned release of the film, The Interview, about a plot to assassinate the North Korean leader. US intelligence officials allege that the attack was sponsored by North Korea. North Korea has denied this and some cyber security experts have cast doubt on the evidence, proposing that current or former Sony employees may have been involved.

In the autumn of 2014, iCloud security was called into question following the headline news that compromising photos of numerous high-profile stars had been leaked as part of a wide-scale celebrity hack. An anonymous hacker claimed to have accessed private photos stored on Apple’s online storage facility. This caused widespread concern about the safety of cloud servers and how security could be increased. However, poor end-user security may have given the hacker access.

More recently, British Airways received unwelcome press attention after hackers accessed tens of thousands of customer accounts. Although the airline stated no personal information had been viewed or stolen, it meant the system had to be frozen while the issue was resolved.

Similarly, online marketplace eBay faced difficult questions early last year following a hack attack that exposed millions of customer passwords and other data.

These are only some recent higher-profile examples of the increasingly inevitable online breaches that are estimated to be costing business billions each a year.

Cost to the business

A security breach is likely to have a significant effect on any business with the cost of dealing with the associated operational disruption, remedial steps to repair data leakage, brand and reputational damage and steps to meet regulatory compliance. The overall effect can range from a significant annoyance to an overwhelming loss of control of day-to-day business activities.

An incident will undoubtedly absorb management time, which would otherwise be spent on profitable activities. The business may also find itself liable to third parties for failing to look after their data or if the interruption to the business means that its contracts cannot be fulfilled. In addition, a firm may suffer reputational loss and damage to its brand value if a hack becomes public knowledge.

Technology solutions

It is tempting to think that IT systems are best protected by new technological solutions. That has some truth to it and, recently, the UK’s Information Commissioner’s Office has issued penalties to organisations for failing to maintain and patch software allowing major data breaches. However, this is only ever part of the answer. A great security product that is not actively operated is as poor as an out-of-date product.

Employee awareness

Absolute security is impossible to achieve. A determined hacker will almost certainly gain access and a typical way in is to send targeted phishing emails carrying malware in attachments to individual employees’ email addresses. Anti-virus software is usually ineffective against such targeted attacks as custom malware will bypass anti-virus software detection.

Staff playing their part in maintaining security is vital. Accordingly, ensuring that the firm provides adequate guidance and training to its workforce is key, as well as maintaining an up-to-date incident response plan so that staff know how to respond to an incident.

Active system monitoring

As has become clear, the cause of a breach can be employees themselves. IT systems should allow employees to access only what they need and active system monitoring is needed to detect unusual activity.

Technical incident response support

Typically, a business may well be unaware that it has been the victim of a cyber attack until some time after the event. Dealing with the issue quickly to repair and prevent further damage is key and bringing in an expert incident response provider rather than trying to fix the problem internally is likely to be valuable. An external perspective on the problem can be invaluable.

Insurance cover

Cyber insurance can also cover the costs of responding to a cyber incident, putting right any compromised data and systems, as well as any loss caused by business interruption. In addition, the policy should protect against claims by anyone affected by the incident.

Conclusion

Some businesses may hold little sensitive data or feel they are unlikely to suffer serious reputational harm from a breach. However, even these businesses will feel the consequences of the diversion of time and resources needed to respond to a breach. It is also hard to quantify the loss of control and insecurity that follow such an incident and cyber security planning should be taken seriously.

Justin Tivey is a legal director and Fiona Pearson is an associate in Bond Dickinson LLP’s insurance group and part of the firm’s cyber risks team