0370 1500 100

Cyber-attacks And Security Breaches

The Biggest Threat To Your Businesses In 2016


Kate Rawlings, Press Officer | 0114 274 4238

A former vice president who disabled the Wi-Fi capability in his pace maker for fear of an assassination attempt, a Barbie doll which can be turned into a surveillance device and hackers who can manipulate the stock market; they may all sound like they come from the plot of a futuristic-dystopian sci-fi novel, but all of these things have already happened. 

Hilton, Samsung Electronics, Carphone Warehouse, Talk Talk, Ashley Madison, JD Weatherspoons, V-Tech and the BBC are just some of the household names who became victims of cyber-attacks, last year. 

Figures for cybersecurity and data protection breaches reached a record high in 2015, for both businesses large and small. 

The Breach Level Index report, which provides a centralised global database, showed that there were 888 data breaches in the first half of 2015, which compromised 246 million data records of clients’ personal and financial information worldwide. The problem is growing; a recent PricewaterhouseCoopers (PwC) global state of information security survey found that there had been a 38% rise in detected incidences of cyber-security.

In 2015 British firm Lloyd’s estimated that cyber-attacks, including the  damage itself and subsequent disruption to business were costing companies as much as $400 billion a year.

With the figure set to continue rising, legal specialists are warning that firms need to prioritise this as a critical risk and have a business continuity plan in place to deal with any incident.

Why do cyber-attacks and security breaches pose such a threat to businesses?

Partner and cybersecurity expert, Georgie Collins from law firm Irwin Mitchell, says that no business is immune and has helped to create an online quiz to help raise awareness of the issue.  One of the endemic problems is the lack of recognition, prioritisation and planning.  A recent Institute of Directors (IoD) study found that 43% of surveyed businesses did not know where their data was physically stored.

Collins said: “Cybersecurity has not featured on the agenda in the boardroom.  It is often seen as an ‘IT/Techy’ issue rather than a business issue.  Coupled with the mantra ‘it won’t happen to me’ and the perception that cyber-attacks and data breaches are the prevail of financial institutions, tech companies and government related agencies, all leads to huge vulnerability.

“Part of the problem is that many senior decision makers have failed to grasp the scale that cyber-attacks pose. The reality is that every business with an online presence, which holds data and information and has staff, is at risk. It is not just a question of beefing up your IT system with security protocols and firewalls but having an understanding and educating staff about the risks.

“Further, businesses cannot just look at their own systems in isolation.  Businesses are part of a broader network, including their customers and suppliers.  The issue has to be looked at holistically in terms of how a business functions both internally and externally.

“It’s been reported that the demand for cybersecurity experts quadrupled in 2015 and is now at a record high in light of some of the headline grabbing data breaches we have seen lately. This leap indicates that the tide may be turning in terms of perceived threat.”

Are small businesses at risk too?

Despite big businesses dominating the headlines in terms of data breaches and cyber-attacks, smaller firms and SMEs must also take action.  A UK government survey in 2015 found that 74% of SME’s in the UK had suffered a data breach of some kind.

Vulnerability to a cyber-attack or security breach typically increases with the complexity and size of a business, especially if it has large data pools which large numbers of people access.

In October 2015, Scottish firm, Ellen Conlin Hair & Beauty, paid 1,000 euros in bitcoins through a third party after their system was breached and locked and the hackers threatened to delete the information, unless the ransom was paid.

The bosses said they had decided to pay because they could not afford to lose business.

How are businesses being targeted?

This kind of ‘ransomware’ attack is similar to the Ashley Madison attack in July 2015.

The high profile attack saw "The Impact Team" steal user data from the commercial website, which enables extra marital affairs, who then threatened to release users' personal identities if the site was not immediately shut down. 

The group went on to leak more than 25 gigabytes of company data, including users' real names, addresses, search history and credit card transaction records and resulted in the CEO, Noel Biderman, stepping down.

“These attacks show how valuable data can be. Customers expect a certain level of protection and when a hack becomes public knowledge the damage to reputation could be insurmountable,” said Collins.

“Whether the motivation behind the attack is for financial gain, or to usurp an organisation for moral reasons, the outcome is the same; clients will lose trust in a business, and that comes at a cost.”

The most popular type of cyber-attack of 2015 was the Distributed Denial of Service, (DDoS).

According to a report by security firm Akamai, there was a 180 per cent rise in the number of DDoS attacks last year. Even ‘Auntie’ fell to one on New Year’s Eve when the BBC and iPlayer websites were taken down for several hours.

A DDoS uses large numbers of infected machines and orders them to try and access a particular website until it eventually crumbles under pressure, bringing the site down.

“Having your website taken down can lead to both reputation and financial losses. Depending on the business, the damages could run up into the millions,” said Collins. 

“Businesses need contingency plans in place to cope with attacks like this. They also need to make sure they have up to date and full insurance policies which protect them in the event of such an attack.” 

The IoD study found that only 20% of businesses hold cyber insurance, with a further 21% unsure as to whether it is necessary.

Are websites the only target of cyber criminals?

 As we find ourselves living in an age of convenience, everything from central heating to children’s toys has become WiFi enabled, so they can be controlled by apps via mobile devices.

Hackers have found new ways to exploit the new technology by breaking into these systems and taking control, which is known as an Internet of Things (IoT) attack.  The PwC survey found that attacks on IoT mobile devices had risen 36% in 2015.

“When V-Tech were hacked, private data which included photos and addresses of 6.4 million children was exposed. The breach was every parent’s worst nightmare,” said Collins.

“You could argue that as a toy company V-Tech would not be expected to have top notch security but the hack proves that it should be a priority for all types of businesses who use this technology.

“Researchers have ‘hacked’ Mattel’s latest Wi-Fi enabled Barbie doll to turn it into a surveillance device for spying on children without the owner’s knowledge.

“They’ve been able to remotely gain access and take control of a Jeep while it was driving at 70mph on a highway in the US.

“Even the former US Vice President Dick Cheney had doctors disable his pacemaker’s wireless capabilities for fear hackers could mount an assassination attack from behind a computer screen.

“When you consider Wi-fi capability in aircrafts, CCTV cameras and weapons, IoT attacks show that all businesses need to consider the risk.”

What about smart phones and laptops?

Thanks to the growth of the market for Android smartphones, businesses are also facing risk of security breaches via mobile devices.

Hackers can break into a mobile browser and compromise an entire phone by bypassing system-level security measures. 

Many phones now come preloaded with applications that are not authenticated by Google’s security team, which can make a device even more vulnerable to remote hijacking.  

“Employers need to ensure staff are using adequate security precautions,” said Collins. 

“Ask yourself how many times you’ve allowed your work phone access to unsecured AP/WiFi connections. Have you changed the setting so your phone doesn’t connect automatically? Do your employees know what it means that some Wi-fi connections don’t encrypt data communicated through the network? Does the workforce know the risk?”

Another huge concern that arises from mobile devices is the ability of a hacker to eavesdrop on conversations or view messages that a user sends or receives. 

“All it takes is for the wrong information to fall into the wrong hands for a data breach of great magnitude to occur,” said Collins. 

How can a workforce protect a business from a data breaches?

A major cause of data breaches is human error.  

Fraudsters have upped their game, and are adept at conning their victims using psychological manipulation, or "social engineering". 

“The ways in which criminals can exploit technology grows daily but the weak spot they will never tire of using is us,” warned Collins. 

In the past two years there has been a boom in social engineering, with reported losses in 2015 doubling to nearly $1bn (£675m). 

International police agency Interpol has even identified this type of crime as one of the world's emerging fraud trends.

She added: “Criminals will target individuals to get sensitive information which could then help them gain access to a company where they could go on to steal, manipulate data, or hold it to ransom. 

“In 2015 a fraudster posed as a senior member of staff who contacted a colleague in the financial department and requested they transfer a large amount of money from the company’s accounts into the criminals accounts - that scam caused the victims, Ubiquiti Networks Inc, to lose $39.1 million dollars. 

“Employees at all levels need to be fully aware of how to spot these phone calls and emails. These people spend a lot of time gathering research to make their approaches seem as legitimate as possible.

“The message is - question all information you are asked for, be aware.” 

How does the law protect businesses?

It is clear that data protection and cybersecurity are problems that are not going to disappear any time soon. 

The EU is currently trying to address the problem and bring in legislation to help protect businesses in the form of the General Data Protection Regulation which is due to be agreed in early 2016.

“The problem with this is that there will be a two year implementation period by which time, with technology developing at the rate it is now, the legislation risks being outdated,” said Collins.

What can businesses do to protect themselves?

“Businesses shouldn’t be waiting until after the hack has happened. They need to plan ahead and vigilantly protect themselves as well as having contingency plans.

“Data needs to be stored safely and encrypted to the point it loses its value to a criminal, insurance policies must be in place, and work forces need to be educated on how they can help minimise risk. 

“Children are taught from the moment they are given a computer to protect themselves, but are employers giving their staff adequate training in terms of cybersecurity and the risks they face?

“We are at a stage where passwords need to be backed up with finger print or eye recognition technology as they have become too easy for hackers to bypass. 

“All organisations need to start examining data security and looking to a dynamic and multi-layered approach.

Businesses need to plan based on an absolute worst case scenario, rather than what they think is a more realistic scenario.

“Some of this may sound like science fiction but the figures show the risk to businesses is not just a fact but that it is fast becoming the biggest and most difficult challenge businesses face today.”

How much do you know about cybersecurity? Test your knowledge by taking our online quiz here!

© 2017 Irwin Mitchell LLP is Authorised & Regulated by the Solicitors Regulation Authority. Our Regulatory Information.