November 24 last year was like any other day for many, except for staff at Sony Pictures Entertainment. Almost at once everybody’s screens flashed a stylised skull image, followed by the dire warning: “This is just the beginning …” It was.
Over the following weeks it was discovered a cloud massive cache of information had been stolen and posted on the internet. It included emails about stars such as Angela Jolie and Jonah Hill, movie scripts, confidential contracts and passwords of senior executives. President Barak Obama blamed the North Korea for the hack in apparent retaliation for Sony’s film The Interview that included a plot to kill North Korean leader Kim Jong-un.
It was highest profile of a string of attacks on other global enterprises. Adobe, Evernote, eBay, JP Morgan Chase, Apple’s iCloud, AOL, Yahoo, Target Stores, the US military, Hewlett-Packard, Citigroup and many others were hacked, causing billions of dollars in damage. Another significant recent hack was on Gemalto, which produces most of the world’s SIM cards. Encryption keys were stolen, leaving billions of handsets vulnerable to being intercepted.
In Australia, however, there is a worrying lack of perception of the seriousness of the issue. Last month it was disclosed that Optus had three major data breaches affecting more than 300,000 customers. Every year thousands of Australian businesses are hacked in some way but many never think it is a serious threat. While the potential damage can be substantial, surprisingly few Australian executives understand how to cope with the potential threat.
“The cyber threat is not new,” Telstra said in a report on cyber security last year. “Cybercrime is just crime. Cyber espionage is just espionage. Cyber hacktivism is just activism and protest …” While this may be correct, threats roundcube hosting from cyber crime for companies can be significant. Attacks can happen a lot quicker than many executives are prepared for, with many lacking the technical capacity to deal with a sudden event.
Most Australians have heard of skimming from automatic teller machines, but unless it has happened to them most don’t worry about it. It is the same for most businesses. More than 90 per cent of the businesses I often talk to do not seriously consider cyber security issues. Many hacks go unreported because companies worry clients and shareholders will be alarmed. This is understandable but it means many have a false sense of security about their vulnerability.
Government website www.staysmartonline.gov.au outlines many of the problems people can face on the internet. In 2012 the site issued advisory alerts to small businesses following Australian Federal Police announcements that about 500,000 credit cards had been stolen resulting in more than $25 million of fraudulent transactions. Many companies make the mistake of thinking that they don’t have much information of value to a potential hacker. But it is likely they do. Employee information, confidential emails, payroll, trade secrets are valuable to hackers, either for their own advantage or to sell on the black market.
There are many reasons that companies lack the ability to deal with cyber threats. These include low security awareness among employees, lack of budget, too much data to analyse, a lack of skilled personnel, a lack of management awareness and support for those seeking to prevent the problem. Businesses that do take it seriously are those with good consultants or those who have been hacked and understand its devastating impact. While companies need to take cyber security seriously it is a matter of proportion; there is no point spending big unless the situation warrants it. Most either spend too little or are convinced by some consultants to spend too much on ineffective solutions.
Many incidents can be avoided with just a little awareness and planning. A key mistake is to assume all threats are external; many incidents come from employees or contractors seeking information for fraud, for sale or for revenge. In too many cases companies have no measures to monitor the activities of privileged users — the ones they need to trust to keep their business running.
A survey by international information security group Clearswift of some 500 IT mangers and 4000 employees showed 88 per cent of companies had a security incident in the previous year and 73 per cent of those incidents were attributable to employees, ex-employees, contractors and partners. The Australian edition of the report was even more damning. Good IT security advice and hiring policies with staff only having access to information they need, can go a long way to protect businesses from insider threats.
Companies should consider having a security consultant review their processes and systems. They need someone with a good reputation, preferably through referral, who will ask many questions before providing tailored advice rather than someone who offers a generic (and often expensive) solution. If you are high risk it could mean the difference of remaining in business.
Hackers want any thing of value, servers but sometimes they don’t know what they want until they find it. Most hacks are automated and scan the internet and networks or lay in wait (malware) on compromised websites waiting for someone to trigger them. The hackers will then use pattern recognition to identify valuable data such as banking information. If someone targets your organisation directly that is when you need to be worried. It is like comparing a professional thief to the smash-and-grab criminal. Professionals know what they are doing and what they are looking for; there is often little you can do but slow them down. Most businesses are not like banks, which know they have something that everyone wants. If you have the kind of business someone would target and you are not prepared, it is a matter “when”, not “if”, you will be hacked.
Rapid changes in technology, such as the Cloud, the Internet of Things (connected devices), wearable technology, and even smarter smartphones, provide endless threats. Think of the number of security updates that Microsoft and Apple release and look forward another year in the knowledge there are many undiscovered vulnerabilities. Every major change sends us back to the beginning to get ready for what is out there.
But all is not hopeless. If you take precautions you can minimise the risk to which you expose yourself. You wouldn’t journey to the top of Everest in shorts and T-shirt would you?