Recent high profile cyberattacks unfortunately suggest that organisations who have not suffered from a cyberattack will soon be in the minority.
Cyberattacks in the headlines
In May 2017, 47 NHS Trusts (among other businesses) were the well-publicised victims of the WannaCry ransomware cyberattack. In addition to reputational and financial cost, the cancellation of appointments and delay in access to records and results meant there were some serious repercussions for individuals. The attack is now thought to have impacted an estimated 200,000 systems from a broad range of organisations around the world.
A month later a second ransomware attack, NotPetya, was launched. Victims of this second attack include Fedex, Reckitt Benckiser (manufacturer of nurofen) and the world’s largest advertising agency WPP.
But it won’t just be the big names that are impacted by such attacks. These ransomware attacks took advantage of outdated software. Smaller companies with tighter budgets are therefore at risk of being vulnerable to such attacks. Smaller firms may also struggle to deal with the impact of an attack. As a result they may be more inclined to pay the ransom in order to get back to business.
Prior to these attacks, in April, the Government released its findings from its Cyber Security Breaches Survey 2017. The report concludes that a ‘sizable proportion of businesses still do not have basic protections or a formalised approach to cyber security’. Most notably 46% of those surveyed had suffered a breach in the last 12 months. A third of those stating that they suffered at least one a month.
Recent global cyberattacks involved ransomware demanding payments be made in Bitcoins in order for companies to retrieve their data. In general attacks tend to be pretty un-original in their basic format. The recent NotPetya attack being named because it was initially thought to be a strain of the previously used Petya ransomware due to similarities in the method of attack. The main difference was that Petya was a criminal enterprise for making money whereas NotPetya seems to be more about causing damage to global software systems.
Understanding how these attacks happen can help you protect your business.
According to the Government’s 2017 survey, of the businesses reported to have suffered a breach in the last 12 months:
- 72% suffered a breach involving fraudulent emails sent to staff
- 33% suffered a breach involving viruses, spyware or malware
- 27% suffered a breach involving impersonation
- 17% suffered a breach involving ransomware
The Government’s 2017 survey found that the average cost of security breaches ranged from £1,380 for micro and small firms to £19,600 for large firms. Reckitt Benckiser stated that, as a result of the NotPetya attack, he expects its like-for-like net revenue growth to be around 2% compared to a previous estimate of 3%. With annual revenues of £10 billion this could represent a loss of income of up to £100 million.
With the increase in the storage of information online the average cost of a cyberattack is likely to escalate in the next few years. The new General Data Protection Regulations come into force in less than one year and allow for fines up to the greater of 4% of annual worldwide turnover or €20 million for data breaches. The number of data breach fines has already doubled in the last year alone.
As mentioned previously, the recent high profile attacks took advantage of outdated and unsupported software. However, in the case of WPP’s vulnerability to the NotPetya attack, this is believed to have been caused or magnified by the recent outsourcing of its IT team leaving gaps in the company’s technical support.
While the removal or outsourcing of an entire team is not commonplace, exposure could arise from the departure of individuals, whether permanent or temporary. With the summer holidays fast approaching it is likely that many companies will have staff on annual leave and in their absence other team members may cover their role. Although the holiday season is typically a quieter period, having staff unfamiliar with day to day procedures leaves a company more at risk of an attack. Spear phishing is likely to be particularly effective at this time.
The measures to prevent
A recent international law enforcement operation, involving organisations from countries around the world, has seized and shut down the Alphabay and Hansa sites, two sites associated with the trade of malware and stolen data. However, companies need to take some responsibility for their cyber security as law enforcement agencies struggle to keep up with the pace of change.
According to the Government’s 2017 survey:
- 58% of businesses questioned had sought information, advice or guidance on the threats to their business in the last year.
- 74% stated that cybersecurity is a high priority for senior management.
Training senior management is necessary and should ensure cybersecurity receives the investment it needs. It is important to view cybersecurity as a high priority and training provided for all staff. At the end of the day cybercriminals are not selective about who in an organisation they target.
We have become accustomed to seeing global attacks on a monthly basis; it may well be the case that the next strike is just around the corner. Should we expect regular attacks on the scale of WannaCry and NotPetya? And how can we stop ourselves becoming sitting ducks? The good news is it’s not that difficult.
Jeremy Gardner, our Managing Partner leads the UK200Group’s Digitalisation Taskforce.
For more information
For more information, please contact us on: