Tucked away in an office block in central London is a room dedicated to finding flaws in organisations’ cyber defences. Many such rooms exist. It’s just that few are operated by the good guys.
On the wall, a large screen illustrates the main computer viruses and where in the world they are currently wreaking havoc. Another offers a glimpse into the dark web – the hidden realm of the internet that most people aren’t aware even exists – and displays messages from a chat-room where anonymous hackers congregate to boast about their attacks.
Facilities like this are increasingly important because the stakes are so high. In the Sony PlayStation hack of 2011,[1] some 77 million user accounts were compromised. Yet even this was eclipsed by an attack on Yahoo,[2] which lost personal data for 500 million people in 2014 – a fact that was only disclosed in September 2016.
Such big numbers can sometimes lack meaning, but on the dark web, email addresses and passwords are highly prized. People re-use passwords for multiple accounts, including online banking. And while blockchain technology may one day prove a solution, the theft of Bitcoin[3] worth $72 million from a Hong Kong exchange in August 2016 demonstrates that it’s not yet infallible.
Indeed, the currency is the default payment preference for cyber extortion. It’s a problem that is currently rife in the ASEAN region and Latin America with financial services particularly affected. The findings come from the latest Grant Thornton International Business Report (IBR), a quarterly survey of 2,500 business leaders in 37 economies worldwide.
What’s also apparent from the IBR is that the cyber threat is no longer limited to code-breaking teenagers operating from their bedrooms. The total cost of cyber attacks to business over the past 12 months is estimated at $279billion,[4] a 6% increase over the previous 12 months – it’s a huge global industry.
A sobering statistic is that financial loss isn’t even the biggest consideration. Reputational loss, the amount of management time it consumes, the resulting loss of customers and the costs of putting best-practice defences in place are rated as more important than direct loss of turnover.
FBI director James Comey highlighted the extent of the problem in 2014, telling 60 Minutes[5] “There are two kinds of big companies in the United States. There are those who've been hacked and those who don't know they've been hacked.”
Comey’s focus was on state-sponsored hacking, explaining that certain countries are “extremely aggressive and widespread” in their efforts to break into systems to steal information that would benefit their industries and economic growth.
The message is clear – if you run a dynamic enterprise, being obsessively concerned about safety is not a sign of paranoia. Someone, somewhere, is out to get you. There are ‘hacktivists’ pursuing what they see as an ethical agenda, hackers working for organised crime, state-sponsored hackers and terrorists. It’s only a matter of time before your organisation becomes a target – if it hasn’t already.
How do organisations begin to combat such threats? The key outcome is to achieve realistic resilience, which is where London’s cyber room comes in. Grant Thornton UK’s lead penetration tester Nick Smith is what’s known as an ethical hacker – a computer and networking expert who systematically attempts to penetrate a computer system or network on behalf of its owners to find security vulnerabilities that a malicious hacker could exploit.
Smith says: “Our job is not to make your network impregnable – it’s simply not possible. We have skills, but we don’t have a very large group of people and millions of dollars to spend and that’s what you’re up against sometimes. There will always be people coming up with new methods to attack organisations, too. “We will go on the offensive to find all the faults and flaws we can. Then we will write a report and offer recommendations on how to be as secure as possible. Organisations need a pragmatic response to the threat.
“Prevention is far better than dealing with the effects of a cyber-attack. Would you rather spend time on your cyber defences, or in fraught negotiations with extortionists?”
Comey highlighted the scale of the challenge when he told 60 Minutes: “The internet is like the most dangerous parking lot imaginable. If you were crossing it late at night, your entire sense of danger would be heightened. You'd know where you were going. You'd walk quickly. You would look for light. But folks are wandering around that proverbial parking lot all day long, without giving a thought to whose attachments they're opening, what sites they're visiting. And that makes it easy for the bad guys.”
Comey’s metaphor is backed up by research. IBM’s 2014 Cyber-Security Intelligence Index Report[6] noted that human error is involved in 95% of security incidents. It’s a lack of foresight that was highlighted in a recent experiment by Grant Thornton Ireland. To raise awareness, it arranged for a number of memory sticks to be dropped around Dublin. Within minutes, the sticks had been picked up and were being used by unwary employees.
The ease with which a malicious hacker could gain access to a network in this way is something Manu Sharma, head of cyber security and resilience at Grant Thornton UK, is all too familiar with. He says: “We’re developing an advanced security centre. From this room, we conduct vulnerability-testing exercises on our clients. We also simulate different client scenarios and show them what might happen in a cyber attack.
“Not everyone realises just how easily mobile devices and networks can be compromised and the risks are enormous. It’s no longer an issue for CIOs alone".
Cyber-security needs to be on the agenda of the entire c-suite and it needs a company-wide approach. The more companies delay their response, the more the threat grows. Organisations need to take action now.
To find out more about how to build cyber-resilience for your business, contact Manu Sharma at manu.sharma@uk.gt.com.
[4]The Grant Thornton International Business Report (IBR), launched in 1992 initially in nine European countries, now provides insight into the views and expectations of more than 10,000 businesses per year across 37 economies. Cost of cyber figure is calculated using IBR figures and World Bank GDP data, plus estimates of global business revenues.