What four key industries can learn from European Cyber Security Month
During European Cyber Security Month, the countries of Europe join together with the aim of improving the continent’s digital and online security.
Organised by the European Union Agency for Network and Information security, the month-long event aims to raise cyber-security awareness within businesses and organisations of all sizes.
Throughout the month, official bodies have hosted events and released resources to help advise companies on how to manage cyber security threats, as well as exploring new methods to help protect businesses from risks of the future.
Here, we take a look at four key industries and explore case studies of just what can go wrong when it comes to managing cyber security within each sector. In each example, we look at what caused the cyber-attack, how the company responded and what lessons were learned in the process.
As an industry, banking is one of the most regulated and heavily protected in the whole world. Dealing with billions of pounds of customers’ money each day, the European banking sector is one of the world’s largest, and is therefore a huge target for hackers and cybercriminals alike.
From organised criminal gangs looking to access the personal details of banking customers, right through to lone-wolf style culprits, set on the aim of spending money which doesn’t belong to them, banking and finance is fraught with opportunities for criminality.
That’s why cybersecurity in banking is the key theme for the entire first week of ECSM.
According to industry publication Banking Technology, cyber attacks against the banking industry have sorted in recent years, with financial institutions now facing 300% more attacks than any other industry. Despite this, the publication claims that the industry is much more aware and better prepared for cyber attacks that it is given credit for.
According to a 2015 report by The Bank of England on the UK’s financial stability, threat awareness has grown exponentially within the sector, and huge amounts are being done to fight cybercrime. A reassuring statement, but hardly surprising given that over 90% of all large financial institutes in the UK say they’ve been victim to cyber-criminality.
One bank which hit headlines in January 2016 was HSBC, after their online banking facilities were made unavailable, following a denial of service – or DDOS – attack.
According to the bank, their website and systems were attacked, bringing down its website and online services. Despite this, the bank reassured its 17 million personal and business banking customers that they had managed to successfully defend their systems. No data was obtained during the attack.
The attack came at a time when millions of the bank’s customers were trying to access services, as the UK woke up to the first payday of the year.
After this and other such attacks – including one which saw an undisclosed number of American HSBC Finance Corporation customers data exposed to hacks – the bank’s chairman pledged to invest heavily into cyber-security, to further improve it’s ability to look after customer data.
“Better use of data will allow more accurate knowledge about the customer to be built, leading to improved customer segmentation and therefore less risk of misselling in the future. The same data, together with transaction monitoring, will enhance our ability to identify bad actors within the system, so reducing financial crime. A lower cost of delivery will flow through to lower intermediation costs for customers and allow banking services to reach communities currently underserved,” he said.
“The nature, scale and pace of change do, however, pose a number of public policy questions still under review as well as highlighting new risks to financial stability that need to be addressed.
“The sheer scale of data to be collected and stored demands clarity over responsibility for data security and transparency over who has access to that data and for what purpose.”
Whilst technological advances and improved digital security play a key role in reducing the risk of cyber-criminality in the banking sector, PricewaterhouseCoopers suggests that education and internal communication can also play their part.
In a report published in 2014, PwC say that education of employees of all levels – from the CEO right the way down to junior management – can help expand the understanding and awareness of cyber attacks, and have the entire business on the lookout for suspicious signs. On this topic, the report also suggests that a constant line of communication with regulators is essential, to stay up-to-date with industry best practices surrounding security and data management.
The report concludes that it is vital to understand the potential culprits of cyber-criminality and their motivations, to be able to effectively engage in cybercrime prevention and test all possible vulnerabilities in your system, before a criminal has a chance to.
The automotive industry is one that has remained the same for the last 50 years.
Thanks to internal processes, a mechanical-heavy production method and the relative technical simplicity of most cars, the industry had become known for being relatively immune to new-style cyber attacks.
That is, until the recent emergence of new technology, which now puts the sector on the map as one of the most vulnerable to cyber-attacks.
From in-car computers and digital security systems through to self-driving cars and the challenges that they bring, the automotive industry is going through something of a digital revolution, and cyber threats follow not far behind.
The automotive industry now has more of a dependence on technology and web-based communications than ever before. This means that there are more access points for those looking to do harm, steal data or even access vehicles.
As well as systems such as in-car computers, SatNav and other facilities, the key shift in the industry is the gradual introduction of self-driving cars. Manufacturers including Tesla and Google are known to be working on completely automatic vehicles, which presents the industry with a whole new set of challenges.
According to a report published earlier this year by KPMG, 81% of C-level executives within the industry reported that their companies had been compromised in some manner in the past two years. And whilst few to little of these attacks were directly against self-driving cars, the data marks a trend of increased cyber-crime activity within the industry.
KPMG’s Cyber US Leader Greg Bell highlights the issue in the report, saying that “There is a cyber-awareness maturity curve for industries that have been providing Internet-enabled products and services for longer periods of time, versus relatively new products like personalised shopping and connected cars.”
Bell continues, “Hackers go after the weakest systems, not often the most traditionally lucrative like banks. However, as products evolve to use more connectivity and data, companies can’t afford to get this wrong and let the maturity model hold them back.
Last year, a class action lawsuit against GM, Ford and Toyota showed just how behind the industry is when it comes to proactive cyber-crime prevention.
In the suit, filed by Attorney Marc Stanley, Ford, GM and Toyota were called out “for failing to address a defect that allows cards to be hacked and control wrested away from the driver.” In short, the three companies allowed their customers to drive cars which have significant security flaws, but failed to notify them.
The case argues that if in the wrong hands, the very technology used to control cars could be used to cause mischief or even accidents, with everything from the horn right through to steering, acceleration and braking under the control of a compromised security system.
“We shouldn’t need to wait for a hacker or terrorist to prove exactly how dangerous this is before requiring car makers to fix the defect,” Stanley said. “Just as Honda has been forced to recall cars to repair potentially deadly airbags, Toyota, Ford and GM should be required to recall cars with these dangerous electronic systems.”
As reported by industry blog NetworkWorld, US show 60 Minutes showed viewers just how easy it is to compromise a car’s security, when the DARPA’s Dan Kaufman remotely controlled a car’s windscreen wipers, sounded the horn and then disabled the brakes.
“Using a laptop, the hacker dialled the car’s emergency communication system, and transmitted a series of tones that flooded it with data. As the computer tried sorting it out, the hacker attacked, reprogramming the software and gaining total control of the car,” explained the show’s host Lesley Stahl.
She continued, “They can do this from anywhere in the world.”
Despite the criticism, Forbes reports that car manufacturers have been quick to respond to any known risks of attack. But as of right now, any fix is still a very manual process of each driver checking for, downloading and installing updates to their vehicle.
Until a new solution is found, the industry is at the mercy of car-owners remembering to update software, and hackers being one step behind cutting-edge innovation.
Education is a sector that is home to some of the world’s best-known and most respected institutes, along with groundbreaking research into some of the most important problems we face.
Universities also contribute a huge amount to the UK economy, with the sector generating £87 million in IP in 2012-13 alone.
Because of this, it’s an industry that is subject to cyber attacks on a regular basis.
One of the most reported cyber attacks in recent history happened in December 2015. As the BBC reported at the time, university students across the UK were unable to submit any work, after the national academic computer network – known as Janet – can under attack.
During the attack, which lasted for a number of days, students’ access to the network was reduced and at times completely unavailable. Services affected included educational websites, email services and assessment submission tools as well as external collaboration services for research staff.
The DDoS brought down national education infrastructure, leading the student learning and submission deadlines being put at risk. If the attack has lasted longer, there’s every chance that more significant damage would have been felt across the country’s higher education sector.
Although this attack was widely reported, it’s not an exceptional case. According to research, 87% of all universities have experienced at least once successful cyber attack, with over a third (36%) successfully attacked at least once an hour. The general consensus within the industry is that the attacks are being more frequent, more targeted and – perhaps most importantly – more sophisticated.
Research by Comtact learned that almost 65% of universities don’t believe that their current IT infrastructure will be able to protect them against attacks in the next 12-18 months. More worryingly, 27% reported that their current data centre is inadequate and in urgent need of updating, leaving the industry massively vulnerable to attacks of all kinds.
The trend of an increase in the frequency and severity of attacks, alongside the fact that few universities are correctly prepared to deal with them, means that a huge investment in infrastructure should be at the top of any university’s priority list.
An industry so far ahead in research and development should be leading the way in cyber-crime protection and prevention, to protect both its own interests but also the wider interests of the economy and the students it serves.
There’s big money in retail, and increasingly, that money is heading online.
Although only around 20% of all retail transactions take place on the internet, the sheer scale of items sold in the UK means that this small percentage still accounts for billions of pounds each year.
In April, the Financial Times suggested that retailers must pay “serious attention” to make their businesses safe from the threat of cyber attacks. The report came after industry search suggested that stores just aren’t as prepared as they need to be for attacks online.
According to the report, published by UpGuard, many British retailers are failing to meet the demands placed upon them by the current state of play on the internet, and could do more to protect their business, their customers and the data that passes between the two.
Clothing retailer Matalan was one of the key businesses picked out in the report, but big names such as Waitrose, Tesco, Topshop and Debenhams also ranked highly as businesses who could be more to protect their business online.
Despite this, the FT reported that many of the companies called out in the report disputed the claims, claiming that their online security efforts are focused on protecting sensitive areas, including credit card detail input pages and customer information databases.
Retail businesses may well be quick to assure customers that their data is safe, but Kiddicare showed just what can go wrong back in May, when as many as 794,000 customers were affected by a data breach.
The retailer said that names, addresses and telephone numbers had all been taken during the hack.
The breach did not take place on Kiddicare’s main website, but rather, a microsite set up by the company to run tests upon. Despite the fact that the very purpose of the site was to test and expect things to go wrong, Kiddicare populated its databases with real customer data.
At the time of the attack, the company was keen to stress that no payment information has been taken, but did apologise for the stress and anxiety which may have been caused to customers.
This case goes to show that a focus on cyber security should be adopted as a key policy within businesses of all kinds, and not just something that is part of a checklist before a website is deployed. The Kiddicare website was fully secure and following all guidelines to make sure that customer data was kept safe, but as a result of a lack of cyber security awareness within a small part of the business, a huge oversight took place, putting the company at risk of huge liability.
The advice extended to any online retailer is simple: Make sure that appropriate protection is used through the storage, handling and destruction of data, as well as payment processing.Attacks can come in a blend of different forms and so staying up-to-date with the latest threats to the industry is massively important for all of those in any retail business.
All of these cases show the same thing: No matter what the industry, there are a large number of potential weak spots that hackers will target and, in a select number of cases, will breach.
The best policy for any business in any market is to protect against potential threats before they happen, using a mix of strong digital and physical security, as well as maintaining a high level of staff training around key cyber-security policies.
Prevention is always better than cure, and when millions of pieces of data are at risk, there’s no time like the present to start taking cyber-security that bit more seriously.