Yahoo’s data breach highlights difficulty in determining whether unauthorised access to data has occurred

CYBER RISK is a dynamic threat as criminals seek more creative ways of extracting value from reputable businesses. The new wave of attackers are sophisticated and skilled, and may lie low inside a network for weeks, or months, before taking definitive actions. Their actions are designed to blend in with the everyday hum of network activity, in order to go unnoticed. They will often hijack a user’s credentials to appear legitimate and this can be hard to detect. The days of relying solely on keeping anti-virus software up to date are long gone.

Yahoo’s confirmation that following a recent investigation it believed that information associated with at least 500 million user accounts was stolen from the company’s network in late 2014 highlights the difficulty in determining whether unauthorised access to data has occurred.

PwC’s The Global State of Information Security Survey 2016 highlighted that the majority of sources of security incidents emanated from current (35%) or former (30%) employees. Other sources included contractors and business partners. Consequently monitoring and ongoing training of employees to ensure they remain vigilant on evolving risks is a key plank for defence.

New technological solutions are being developed to meet the evolving threats. Darktrace, for example, has technology which is capable of spotting attacks early in their lifecycle and preventing them from doing serious damage. It detects and correlates anomalies in user, device and network behaviour which allows the organisation to intervene early to mitigate or prevent emerging attacks.

It can however be difficult to decide on which information and processes in a business need to be protected. Customer details and intellectual property would probably be high up many people’s lists, but how about details of suppliers and employees? The loss of the automated control of one machine might not pose an unacceptable risk to an organisation, but the loss of control of a critical infrastructure asset probably would be unacceptable.

“Beneath the surface of a cyber attack – a deeper look at business impacts”, a report by Deloitte, provides a more sobering analysis. They consider the aftermath of a cyber attack in three main stages. The first is the “incident triage” which is highly reactive and focussed on the immediate response and communication needs as the organisation seeks to halt the disruption and identify what happened. The second “impact management” stage, possibly lasting weeks or months, covers the reactive efforts to reduce and address the direct consequences of the incident. The “business recovery” stage could last months or years and is focused on repairing damage to the business and preventing it occurring again. They highlight 14 impact factors which might play out over time, including short term PR, cyber security investments, regulatory and litigation costs, loss of customer relationships and loss of intellectual property.

It would therefore appear safe to assume that no organisation is completely safe from cyber attack, and therefore a thorough response plan should be developed and rehearsed (including how you know you are being subjected to a cyber attack in the first case).

The final word should go to Talk Talk, who have been subject to a well-publicised attack and implemented a recovery plan. On 21 October 2015 their websites started running slowly and they received a ransom demand. It took over two weeks to identify that the attack was limited to 156,959 customers of which 15,656 bank account numbers and sort codes were stolen. They reported a £42m exceptional cost directly related to dealing with this attack. In their 2016 annual report Data and Cyber Security is the first principal risk listed and they go on to say “What is required is a sustained evolution of culture, organisation and ways of working which embeds security across the business”.

Let us all learn from their experience.

David Tilston has been an Audit Committee Chairman of a listed PLC and Group CFO at four listed PLCs