The prolific Sony hack late last year sparked attention and debate across the world. But it was just one of the latest in a string of malicious cyber attacks doing untold damage to the reputations and revenue bases of the globe’s largest corporations – including its biggest banks. The threat is on the increase; a study by Radware last year found that 19 percent of companies in the UK claimed they were under constant cyber attack – up three times from 2013 – as hacks become easier to carry out, quicker to spread, and harder to detect.
Meanwhile, a study by PwC found that 81 percent of large UK businesses had fallen victim to at least one security breach in 2014, resulting in losses of between £600,000 ($903,000) and £1m ($1.5m). It’s no wonder that more than 70 percent of banking and capital market CEOs believe cyber risks are threatening their potential growth (according to PwC).
Political statements
The motives for these attacks vary; from selling personal data for financial gain to ‘hacktivists’ making geopolitical statements – which 34.4 percent of targeted companies said they’d experienced (see Fig. 1). Those politically motivated attacks pose a significant danger to corporations and wider economies, targeting financial institutions in their masses as an assault on government revenue.
Worryingly, they’re expected to rise. “All our intelligence tells Radware it will see more geopolitical campaigns and everyone will be a target, especially the banks, because of what they symbolise rather than what they control”, said the cyber-security consultancy. Last year, protests in Hong Kong and news that Latvia would be leading the EU both drove a rise in the number of cyber attacks on the respective countries, and Ukraine’s Central Election Commission found itself the victim of an attack ahead of the elections in May.
Cyber attacks are growing every day in strength across the globe
State-owned banks are particularly vulnerable, according to Adrian Crawley, Radware’s UK and Ireland regional director – as are those whose reputation may have been tainted in the public’s eye. “If the bank happened to have just declared that there was tax avoidance at certain branches in certain countries, which may have happened recently, they would also be liable to be attacked”, says Crawley.
Under attack
The damage geopolitical cybercrime can cause was made all too clear when the Izz Ad-Din Al Qassam Cyber Fighters (QCF) launched its seven-month Operation Ababil in 2012, targeting some of the largest financial institutions in the US – including the New York Stock Exchange, Bank of America and JP Morgan Chase. The attack sent 15 bank sites down for a total of 249 hours – equivalent to an average of 2.7 hours a week for each institution. Its financial impact, including the consequences of the downtime, was huge; although the exact figures have never been revealed, Crawley estimates the campaign caused multi-million dollar losses.
That’s not the only prolonged attack the US has suffered over recent years; between 2005 and 2012, a number of American businesses, including Dow Jones, Visa Jordon, JC Penney and 7-Eleven, fell prey to a series of vicious attacks that saw over 800,000 bank accounts targeted and more than 160 million credit and debit card numbers stolen. Global Payment Systems suffered losses of almost $93m, and Heartland Payment Systems – one of the biggest credit and debit card-processing firms in the world – saw losses amounting to around $200m, after the numbers were used to create and sell counterfeit cards, according to federal prosecutors.
Target, eBay and Home Depot have all hit the headlines for prolific hacks, but it’s arguably the JP Morgan Chase attack in 2014 that has provoked the most concern. Hackers reached the accounts of 76 million customers and seven million small businesses, making it one of the largest bank hacks in history and prompting chairman and CEO Jamie Dimon to warn of the rising dangers in his yearly letter to stakeholders: “Cyber attacks are growing every day in strength across the globe”, he wrote, adding that the fight will be “continual and likely never-ending”.
As those hacks suggest, the financial implications for targeted corporations can be substantial; in 2008, McAfee surveyed 800 firms and found they’d racked up combined losses of $4.6bn in intellectual property, while incurring costs of around $600m in repairs.
And the potential losses are even greater for banks, where every minute of down time deals million-dollar blows to the revenue base through lost trade. It can also have serious implications on the retail side, with consumers unable to access accounts and thereby make necessary payments – which in turn may pose legal issues, according to Crawley. “The legal side of not being able to adhere to your policies is critical”, he says.
Holes in Obama’s plans
It’s little surprise, then, that governments are stepping up efforts to fight cybercrime. In February, Obama held a summit to detail plans to increase digital security; namely by encouraging the sharing of information between public and private tech companies via Information Sharing and Analysis Organisations (ISAOs). “We have to work together like never before”, he declared. Under the plans, a transatlantic ‘cyber cell’ is being created to bolster collaboration between the US and the UK, and cyber war games between the two nation’s banks are set to kick off later in 2015 as they test each other’s resilience. The UK is meanwhile dedicating £700m ($1.03bn) a year to step up the cybercrime fight.
But there’s only so much the government can do, and that’s limited further by the fact Obama has failed to get a number of the major Silicon Valley tech names on side – including Google, Facebook and Yahoo!, whose executives declined to attend the summit.
And there are counter-arguments to America’s plans. According to Lillian Ablon and Martin Libicki, cybercrime researchers at global policy thinktank RAND, Obama’s strategy could restrict WhiteHat security and see other all-important areas (such as vulnerability research) neglected. In a RAND testimony against the plans, Libicki also argued that ISAOs could mean excluding small- and medium-sized enterprises (SMEs) unable to afford the expensive ISAO fees – thereby dealing a blow to the very businesses already struggling to put adequate cyber-security measures in place.
Crawley is similarly sceptical of Obama’s plans: “Whatever is identified during this process will be very constructive, but the negative side is, attackers have already gone beyond that”, he says. “Whilst it’s great [on] one hand, I don’t believe it’s going to be the answer that everyone’s expecting.” He believes the power to prevent cyber attacks lies more with individual institutions – and specifically how they run and audit their security systems. Ian Whiting, CEO of cyber-security firm Titania, argues the planned collaboration is a positive move that could help identify “where weaknesses lie with our own country’s critical infrastructure”. But even he recognises its limits, arguing that it’s ultimately down to organisations to decide what level of risk they’re willing to take – and act accordingly.
Not so secure
It therefore seems clear a more comprehensive approach is needed to tackle threats from the cyber world. Libicki suggests governments should implement measures that cater for smaller as well as larger companies – such as helping them to seek out potential weak areas, and to analyse (and so learn from) past cyber attacks.
But the companies themselves must do more to tackle cyber threats if they’re to protect themselves and the wider economy. Although many are already taking action – major banks are collaborating, and 52 percent (see Fig. 2) surveyed by Radware said they were ramping up their cyber-security processes and protocols – some are falling behind.
A substantial number of companies aren’t being transparent enough; PwC found that 70 percent of them have kept their biggest breaches secret. That makes sharing information, and developing suitable systems and responses accordingly, somewhat of a challenge. And according to security company Venafi, over half of the Forbes Global 2,000 list have servers that aren’t fully protected against breaches. “[Some companies] feel maybe that they’re not so exposed”, says Crawley. “But what we’ve identified over the past five years with our emergency response team is that no-one is outside of the vulnerability here, everyone is at risk.”
That’s something the Bank of England is recognising, encouraging financial institutions to up their protection levels on the back of a growing threat from politically motivated attacks. Director Andrew Gracie said at a security conference that banks should reach “a level of resilience that goes beyond basic cyber hygiene”, and that firms should be “in a position to manage advanced persistent threats that are the hallmark of some state-sponsored attackers”. He added that protocols should seep through into the c-suite rather than resting solely with IT staff.
Shared responsibility
Relying on IT experts alone is indeed insufficient; according to a study by McAfee, misunderstandings and misinterpretation reside among a worryingly large number of security experts responsible for preventing advanced evasion attacks (AETs) – concealed attacks which bypass security controls. According to the report, 75 percent of those surveyed used vendors that didn’t include technology to prevent this form of security evasion. A further 39 percent of IT decision makers, meanwhile, admitted they didn’t have adequate measures in place to spot and track AETs.
According to nearly two thirds of the McAfee respondents, the biggest obstacle to preventing that form of attack was convincing the board AETs were a genuine danger; it’s thus clear that, as Gracie has argued, getting executives on board should be a priority. So long as cyber-security is considered the preserve of cyber-experts alone, the threat will remain. Training the entire workforce so as to avoid potential attacks is essential – and it’s a strategy that, unlike ISAOs, both SMEs and larger organisations can get involved with.
But RAND’s Ablon believes efforts should go yet further beyond workforce training to ensure that cyber-security is embedded from an early stage. She believes that teaching secure coding in school, and making it an obligation for those developing technology, should be priorities. “We currently only focus on the [functionality and convenience], and then ‘patch and pray’ that security will also happen”, she says, arguing that far more needs to be done if the very serious risks are to be, at least in part, mitigated.
Ablon certainly has a point. And as the Internet of Things takes on an increasingly important role, the potential damage cybercrime can cause is only going to grow – especially if it seeps into other areas, notably health. Crawley gives an example: “Your pacemaker could be linked to the internet, and if someone could hack into that system they could hack a device that’s protecting people.”
If not controlled properly, cybercrime could pose a very real and serious threat to both economies and the institutions and people in them. Although the digital revolution has made complete security impossible – as Crawley puts it, “the only way you’re going to be 100 percent secure is if you cut all links to online and you become an industry of the 1900s” – improving training, raising awareness through education and increasing transparency are actions that need to be taken urgently if we’re to halt the threat before it’s too late.
