Few corporates are confident of their ability to detect sophisticated cybercrime but a strategy to respond to a data breach and comply with legal obligations should be part of every corporate plan.
There is literally no getting away from cybercrime, whether it's the daily spam in our inbox or the continuous news stories of yet another serious corporate data security breach. Bloomberg has reported that Uber, the digital taxi-hailing company, actually paid hackers to keep quiet and delete the data they had stolen relating to 57 million customers and drivers. The hackers – reportedly two individuals – were paid $100,000 to delete the data and not tell anyone. The company was legally obliged to report the data breach, which occurred in October 2016, to regulators and to the drivers whose licence numbers were stolen, but it took the unprecedented move of choosing to conceal the breach for over a year.
This article in Washington Post goes a step further to suggest that we're currently embroiled in a fully fledged cyberwar, but that much of it is of our own making. It channels the words of a famous US cartoonist, Walt Kelly, whose character Pogo said: “We have met the enemy, and he is us.”
Only 12% likely to detect sophisticated cyberattack
So it's no surprise that the majority of companies are worried about the increasing impact of cybercrime and that most say they need to spend considerably more on addressing increased cyber threats. This is according to EY's Global Information Security Survey (GISS), Cybersecurity regained: preparing to face cyber attacks, a survey of 1,200 corporate executives, which suggests that companies “believe that today’s cyber threat landscape places them at high risk of cyber attacks”. The key findings from the research show that:
- 56 per cent of companies are concerned about the increasing impact of cyber threats on their strategies and plans;
- 87 per cent say they require up to 50 per cent more funding to address increased cyber threats; and
- just 12 per cent say they are likely to detect a sophisticated cyberattack.
EY's Paul van Kessel commented: “The most successful recent cyber attacks employed common methods that leveraged known vulnerabilities of organizations. Also, the increasing hyper-connectivity and waves of new technology, while creating huge opportunities, introduces new risks and vulnerabilities across the organization.”
CTMfile take: Uber's breach seems to have broken new ground in how not to handle a data breach – and the company might have to pay dearly for that mistake. Companies need to think not just about their data security and cybercrime prevention strategies – but also their crisis management policy for handling the aftermath of a breach. Following legal obligations to report a data security breach within the required timeframe is essential to limit reputation damage and of course to ensure your company doesn't breach regulations, which are due to change when GDPR comes in next year.
Cyberattacks: do you know when you’ve been hit?
It's not always instantly obvious that cybersecurity has been breached but detection and response times are critical because immediate detection reduces the average cost of recovery dramatically
GDPR: a year away but 86% of companies worried about compliance
By May 2018, companies will have spent an average of €1.3 million ($1.4 million) on systems and training to comply with the General Data Protection Regulation
Cyberfraud is out of control, “New York Federal Reserve almost lost $1billion” allegedly
Do we need hackers to protect us? But when countries are involved why bother?