TalkTalk, Ashley Madison, Hacking Team (oh, the irony), WHSmith and even a German nuclear power station. They’re just a few of the organisations that have fallen victim to data breaches or other cyber attacks of some kind over the past year.
A look at the aftermath of TalkTalk's breach gives an indication of just why cyber security is such serious business. The attack cost it over 100,000 customers and the firm was forced to book exceptional costs of £40-£45m. It's worth bearing in mind things could've been much worse too – only around 4% of the company's four million customers were actually affected.
With many executives feeling lost at sea when it comes to IT nous, it’s no surprise the business of cyber security is picking up. Insurance broker Willis Towers Watson estimates that the cyber insurance market is growing by 30 to 40% per year. Some predictions claim it will reach $15bn (£10bn) of premiums per year by the early 2020s, from about $3bn-$4bn now. And back in December, recruitment firm Manpower said demand for specialist cyber workers had increased fourfold over the past year, meaning the UK’s best experts were raking in over £10,000 a day.
Insurance firm Beazley recently announced a tie up with Munich Re to offer broader protection for large companies’ digital assets. Its data breach insurance business has been growing at around 30% annually. In 2014 Beazley Breach Response Services helped clients handle 777 breaches and last year that rose to 1,249. For the same timeframe the proportion of breaches triggered by hacking or malware has also grown – from 18% in 2014 to 32% in 2015. ‘We estimate that if claims continue at their current pace there will be a 250% increase in hacking and malware attacks this year,’ says Paul Bantick, head of technology, media and business services at Beazley.
Similarly, during the first quarter of 2016, BAE Systems had new interest from more than a dozen FTSE 100-scale organisations looking for help in keeping protected. James Hatch is director of cyber security services at BAE Systems Applied Intelligence and has worked there for over 20 years. ‘Two years ago we spent time expanding to the C-suite why they should be taking cyber risk seriously,’ he says. ‘Now it’s firmly on the board agenda and we focus instead on helping clients overcome the practical challenges of improving security in large, complex organisations.’
BT CEO Gavin Patterson
And for telecoms firm BT, its security business is one of the fastest-growing parts of the company – aiming to bring on board another 900 members of staff in the next year to bolster the team of 2,500. BT boss Gavin Patterson drew attention to the scale of cyber risk at Davos earlier this year, saying his company’s network now deals with ‘hundreds of thousands’ of attacks per day – an increase of 1,000% in the past 18 months. The telecoms firm’s head of security Mark Hughes does though warn of taking care in how we discuss these numbers. ‘We have loads of attempts to do stuff to us all day every day, but when I talk about the increase it’s more the very targeted types of attacks,’ he says.
Organisations including Unilever, Nationwide and the National Bank of Australia use BT’s security products and Hughes says much of the challenge is about getting customers to understand it’s not a one-size-fits-all and not everyone faces the same threats. ‘It’s about trying to sort through that noise and trying to understand what does that really mean for me as a business – how at risk am I?’.
Part of the difficulty for firms – even those with the funds to focus on recruiting workers specifically for combating potential hacks and data leaks, is that it’s an ever-evolving threat. ‘Cyber security teams are overwhelmed with the threats they face to their business,’ says James Chappell, co-founder and CTO of cyber security start-up Digital Shadows. ‘Many are under-resourced and often use technology that simply bombards them with hundreds or thousands of alerts a day which are difficult to make sense of.’
Hughes thinks the management of companies is key in preventing attacks – an effective approach to cyber security requires ‘a different way of working,’ he says. Getting different departments communicating on this helps get the organisation into ‘a much better place to respond to those things which can unfold very quickly’. So when things do go awry, you have the right response mechanisms in place. ‘We talk about the "blast radius" of these types of events, so if something does go wrong you can contain it and bring operations back to normality as much as possible,’ Hughes explains.
Incoming European rules expected in 2018 may make firms even more concerned about finding the right protection – and fast. The legislation will force firms from various industries (banking, energy, transport, telecoms) to report details of cyber breaches to regulators and affected customers, some for the first time. ‘Businesses have two years in which to comply with the regulation and penalties for non-compliance are onerous,’ Bantick says. ‘In addition to the reputational issues of suffering and publicising a breach, punitive fines can be imposed for non-compliance of up to 4% of global business turnover.’
And it’s likely opportunities for those working in cyber security will continue to grow. Hughes points out that organisations are ‘becoming more digital in their approach’ and we’ll likely see the ‘mass proliferation of the Internet of Things’ which means the threat at surface level is only going to increase. Threats like hacking and data leaks can be damaging to companies’ balance sheets as well as their dealings with regulators and rating agencies. The double whammy of financial and reputational costs means firms want to shape up fast with adequate protection. So if one thing's secure for the time being, it's the prospects of those firms cashing in on cyber attacks.
Five tips for management teams from James Hatch, BAE Systems's director of cyber security:
1. Be clear who in the organisation is responsible for cyber risk.
2. Make sure you understand the risk specific to your organisation.
3. Make active decisions about that risk. What do you want to do about it and how will you achieve that?
4. Be prepared. Know how you will detect a problem and how will you respond – from technical measures to what you will say to customers and the press.
5. Ensure your security reinforces your strategic objectives – if it doesn’t, it just won’t happen.