An unsuccessful American thief Willie Sutton was asked in court why it was that he robbed banks. His answer secured his place in history. He robbed banks he said “because that was where the money was”.
Cyber criminals took this message to heart. In the past 30 years, cyber crime has evolved from the province of the amateur hacker in a suburban bedroom into a sophisticated organised international industry with its own supply chain of employers, contractors and specialist sub-contractors. From the beginning, though that is now changing, the banks were the primary target.
Banks have been forced to spend hundreds of millions of pounds on additional defences and to set up a system to pool information to aid the fight against this invisible yet highly dangerous enemy. But the fact that they were the obvious target bred complacency elsewhere. Mainstream non-financial businesses could be heard to say they had nothing much that anyone would want to steal. They did not think cyber was a major threat to them.
Such attacks cast a shadow over the competence of management – they precipitate a host of reputational and trust issues which can linger for years
But this has changed. A succession of high-profile events, from the attack on Sony Pictures alleged to have come from North Korea to the loss of data at the mobile phone provider TalkTalk, cyber attacks are rarely out of the news. And with that has come a new realisation. It is often not the actual theft of data which is the real cost to the company, it is the much longer lasting damage to the firm’s reputation, and to customer and investor confidence.
Such attacks cast a shadow over the competence of management; they raise doubts about the adequacy of controls; they precipitate a host of reputational and trust issues which can linger for years. Months after the attack, the stock market value of TalkTalk was still almost £1 billion less than on the day the attack was announced.
So it was perhaps no surprise, but nonetheless welcome, that reports, circulated at the January World Economic Forum of business leaders in Davos, reflected a change of mood. The big change for 2016 is that everybody is now concerned.
And so they should be. A survey published last year by the Centre for Economics and Business Research put the annual cost of cyber crime in the UK at £34 billion, split not quite evenly between the costs resulting from the attacks and the costs of the extra spending on prevention.
Striking in a different way were the results of the annual Information Security Breaches Survey, prepared by the business services group PwC for the Department for Business, Innovation & Skills. The 2015 version found that 90 per cent of large companies and 74 per cent of small companies had experienced some kind of breach in the last 12 months. But many displayed an alarming amateurishness in the way they defended themselves.
Interestingly getting on for half of these breaches were the result of internal lapses by employees, which underlines an important point. Many successful external attackers rely on an employee doing the wrong thing – something as simple as opening an e-mail attachment from an unfamiliar source – to gain their initial entry.
Not just about money
We should also dispel the myth that all the attacks are about money. Cyber specialist at PwC, Richard Horne, makes this point strongly. He divides attacks into four distinct categories:
- Attacks instigated by agencies of government or sophisticated terrorist groups which are seen as a way to make their presence felt without resorting to force of arms;
- Attacks originated by criminals whose interest usually is money or blackmail leading to money;
- Attacks for information, which are the modern version of industrial espionage where the objective is the theft of intellectual property or other economically valuable commercial secrets – suppliers and customers, contract terms, new product development and so on. And it may not be an organisation’s own data which is the target as some are attacked to get data on third parties with whom they do business;
- Attacks by rogue employees, some who are disgruntled and want to cause trouble, and others who believe they are fulfilling some higher purpose by whistleblowing.
The challenge for companies now they increasingly appreciate the scale of threat is to know what to do about it. There is no shortage of offers to help; there are thousands of companies offering cyber defences and more starting up every day. But as with all new industries which attract a flood of entrants, the majority will not survive, so the issue is less about who has the most attractive offer today and more about who has the resilience to be a long-term partner.
There is no simple way to solve this problem, but perhaps the best approach is to understand from the beginning that effective defence rarely comes cheaply. Cyber security is not simply today’s issue – it is one of the major business challenges of the next decade.