“There are only two types of companies: Those that have been hacked and those that will be hacked.” – Robert S. Mueller, III, former Director of the FBI and now Special Counsel into the Russian interference of the USA election, made this famous quote. But almost by the time he made it, it was out of date – it should instead be “There are only two types of companies: those that have been hacked and those that don’t know they have been hacked.”
The message is that no one and no company is immune from cyber-attacks – even Byronvale Advisors! A while ago one of our computers got a virus resulting in an ‘unusual’ email being sent to people – some known and some unknown (our sincerest apologies). While highly annoying and embarrassing there were lessons to be learned.
Lesson 1 – what is the new ‘normal’
The world and environment which business operates is changing at lightning speed. Defending against cyber threats is no longer sufficient. Even though it slows our systems down Byronvale Advisors runs a dynamic virus protection software on its computers. In addition, Byronvale Advisors runs a secondary daily scan. The traditional protect and control mentality though is no longer sufficient – attackers have increasingly turned to exploiting people and not just technology.
Lesson 2 – IT security needs to focus on the response rather than the protection
Spending time on creating an impenetrable barrier to cyber-attacks is no longer sufficient. Companies need to prepare for the inevitable reality that they will be attacked. You may ask these questions in anticipation of an attack
- Do you know what you have that others want?
- Do you know how your business plans could make these assets more vulnerable?
- Do you understand how these assets could be accessed or disrupted?
- Would you know if you were being attacked and if the assets have been compromised?
- Do you have a plan to react to an attack and minimise the harm caused?
If the answer to any of these questions is “no”, that is where to focus cyber security and where changes need to be made.
Lesson 3 – People are your biggest strength and biggest weakness
No matter how good or strong your technology defences are – firewalls, anti-virus software, intrusion detection systems, or how robust your internal controls and processes are, your staff remain the weakest link. It is analogous to driving a car – there are road rules, line markings, warning signs – or policies and procedures – and yet people still ignore them or disregard them. There is no security patch for stupidity – either deliberate or not.
So why are companies targeted – especially small companies which may only have a little general information on their website or in their systems? Well most companies have more information than they realise – and a few large company attacks gives an insight in the type of information cyber criminals are after.
- Sony – 47,000 records stolen with proprietary and employee details (employment, health and emails). Sony initial costs were over $100m (reduced to $15m after insurance payout), but resulted in an 11% sales decline and 7% fall in share price. Co-chairs resigned after ‘racist’ and other offensive emails released.
- Home Depot – 56 million credit card numbers and 53 million email addresses stolen – cost Home Depot $109m to fix.
- JP Morgan – email addresses and physical address of 76 million households and 7 million small businesses, costing JP Morgan $83m.
- eBay – hackers took customers’ personal information affecting 145m active users. Cost to eBay was $145m.
- Target (US) – hackers stole credit card details. Credit card issuers had to reissue credit cards costing them $200m. The mid-range ‘price’ per credit card on the black market was estimated at then at $26.85 – so generated the cybercriminal $53.7m for six months work. The CIO, CISO, and CEO all lost their jobs and seven of ten Directors were pushed for re-election for failing to provide sufficient oversight.
The above cases also highlight three important facts about cyber breaches. Firstly, 69% of all cyber breaches the victims are notified by an external entity. For example, a victim may receive a ransomware message from the criminal, or have people calling and advising the company, or customers querying suspicious transactions on their credit cards. Second, the median number of days that a threat is present on a network to its earliest detection is 205 days (source Madiant M-Trends). The longest known threat present is 2,982 days. The cybercriminal is patience, watching and waiting, gathering information and preparing for the greatest impact. Thirdly, poor handling of cyber incidents (both internally and externally) have led to harsh impacts on many companies.
Cyber-crime is big – it is the new ‘drug’ for organised crime. It is less labour and physical inventory intensive than any actual drug, can be carried out anywhere and anytime, and is easily scalable. If it hasn’t already cybercrime will surpass any other organised crime activity.
My advice, and one takeaway though is – be aware, be mindful, and be prepared. It is not a matter of if you will be a victim of a cyber-attack, but when (if you haven’t already). Prepare yourself for this unfortunate reality.
About the author
Stephen Barnes is the principal of management consultancy Byronvale Advisors. He has over 25 years advising clients from new business start-ups to publicly listed companies and across a wide array of industries. He prides himself on quickly understanding the client’s business and issues, and synthesising problems to develop pragmatic solutions. He is also the author of ‘Run Your Business Better’.