Cyberattacks leading to data breaches have now become one of the most potent threats that businesses in the modern world have to deal with.
Organisations are operating in an environment where they are increasingly exposing their digital assets to the public. The conduits for this are wide ranging from email to mobile apps to social media networks such as Facebook.
There have been plenty of recent examples that highlight how businesses must learn to combat this growing menace. British Airways suffered a recent attack where a data breach affected 380,000 transactions.
Another incident involved Ticketmaster, where after a hack attack 35 of digital bank Monzo’s customers complained of fraudulent transactions on their credits cards, having used their cards with the ticket sales company.
Recently, credit monitoring service Equifax were fined £500,000 by the UK’s Information Commissioners Office. This was after a compromise of data which effected 15 million UK citizens, globally 146 million records from the company were also stolen in a major data breach last year.
Cyber security company Mimecast conducted an email security risk assessment, where 142 million emails were inspected. All of the emails progressed through organisations email security vendors.
Overall Mimecast discovered 203,000 malicious links, alongside 13,176 dangerous file types, 15,656 malware attachments, and 41,605 impersonation attacks slipping through previously undetected.
Steve Malone, Mimecast’s director of security product management, said: “Email remains a pressing threat to every organisations’ overall cyber security posture for the simple reasons of scale and frequency.”
“That’s then further exacerbated by the fact employees can become complacent to the numerous threats that could be lying in wait, from simple phishing to targeted impersonation attacks, and ransomware hiding in common attachments.”
Research carried out by solutions provider Kroll, revealed that an eye-watering 88% of cyberattacks in the UK over a two-year period was caused by human error.
The most frequent error was sending information to the wrong party via email majority of the time. “Unfortunately, traditional security awareness programmes have often failed to improve employees’ security skills and training has been more of tick-box approach to compliance,” added Malone.
Mimecast’s own State of Email Security Report found that 80% of companies are not confident of their employees’ ability to fend off ransomware. Alarmingly only 11% said that they continually upgraded employees’ training to spot cyberattacks. The current conditions ask questions of what businesses and cyber security firms intend to do next to reduce the cyberattack risk. For example, many software vendors employ security researchers to ensure that systems are kept secure, through responsible disclosure schemes.
RiskIQ, a cyber resilience company based in San Francisco, recently analysed the date breaches experienced by British Airways. And identified credit card skimming group Magecart as the culprit, as they were for the Ticketmaster data infringement.
Fabien Libeau, vice president of RiskIQ for EMEA, explained: “RiskIQ operates on the open Internet to provide organisations with an ‘outside-in’ view of threats and vulnerabilities, that complement their existing security investments in perimeter defence and endpoint protection.”
Libeau also reflected that the company is seeking to drive the debate forward over the potential threats that organisations face from the internet. “We do that in a variety of ways; directly with arge organisations, through involvement in industry bodies and through our regular content such as blogs, where we highlight the latest threat actor trends and tactics,” he enthused.
There are regulations that are in force that compels businesses to brush up on their cyber security competence. Across the European Union there is the directive of security and information systems.
The regulation is aimed at operators of essential services and digital service providers, who are required to secure their network and information systems. Appropriate measures must be taken to minimise the effect of security breaches, and to consider the latest potential system risks. The directive targeted sectors that rely heavily on information and communications technology.
Specifically, energy, transport, health, water, and digital infrastructure. Additionally, in 2016 the EU General Data Protection Regulation was agreed and enforced upon.
The legislation is designed to harmonise data privacy laws across Europe, empower all EU citizens’ data privacy, and reshape the way that organisations view and approach data privacy.
It is hoped that in the future it will be increasingly recognised that cyber security should be a central pillar throughout an organisation, as opposed to a background or “add on” issue.
Regulations at EU level bring to light just what national governments could do in collaboration with cyber security firms and companies.
It’s a potential partnership that could see governments providing incentives for innovation to conquer the threat of data breaches.
Although Steve Malone of Mimecast opined: “Cyber security experts are better able to analyse new threats and build appropriate defensive technologies, while appreciating the reality of how these tools are deployed within a variety of organisations.”
There is a long way to go, as the British Airways and Ticketmaster incidents prove that there is still a lot to think about, before the date breach issue is solved.