What have I to fear from a cyber-attack?
Do you have anything to fear from a cyber-attack? The answer is probably yes. Intrusive or disabling attacks of critical computer systems is becoming increasingly commonplace and is likely to increase to a level of serious concern. All businesses are potential targets and no sector is immune.
The two strategies of a hacker are either:
- to disable your computer system either temporarily or permanently, so denying you access; or
- to take or change something that is held on or in a computer system, by force or by stealth.
In the latter case, the activities are solely for the purposes of gain whereas in the former case it is possible that attacks may take place on ideological grounds.
So even if you think that it does not apply to you, it probably does. Here we explain simply what you can expect by way of a cyber-attack.
Denial of access to your system
The denial of service activity is usually associated with an individual or group that bears some sort of grudge against an organisation which relies heavily upon its computer systems. The grudge can be ideological such as an animal rights group trying to disable the server of a bio-experimental organisation, or it can be personal, for instance an ex-employee seeking to embarrass a former employer because of some perceived slight or indignity either at the workplace or as a result of being discharged from it. This could happen in any organisation.
Denial of service attacks have been known to last anything from minutes to days and are first noticed either by a very marked decrease in traffic going to and from your server or a phone call from a security agency informing you that the domain name system (DNS) is being attacked and that access to your server as a result is being compromised.
The essence of a denial of service attack is to ensure that so many repeated requests are made of the DNS that legitimate customers cannot access the servers of people with whom they wish legitimately to trade. This would suggest that those who are carrying out the denial of service attack do so because they wish to deprive the target organisation of the ability to communicate in some way or another.
Whilst it is possible to obtain insurance and adopt procedures to weather out a denial of service attack, they are fairly difficult to stop once they have started and the best strategy is simply to wait until the storm is over. Catching the perpetrators of such attacks is nigh on impossible unless there is an insider who is willing to provide evidence of their wrongdoing and that of those in their cohort.
Entry to your system
The other form of cyber-attack is more insidious in that it involves a person gaining entry to your server without you realising it. Instead of having the DNS besieged by repeated requests compromising your bandwidth, it is more a case of a person entering your system as a single user and expropriating, deleting or otherwise corrupting your informational assets (or threatening to do so unless funds are deposited in a far away and untraceable bank account).
In some cases direct entry may not be possible and indirect methods may be used such as implanting a virus on detachable media or in an email, or by way of downloadable information from an unsecure or unverified website. Of course once the disrupting software is in your computer system, the hacker has a better chance of circumventing entry security.
In addition to the impact of the theft of your own financial or strategy information, if you are the victim of a cyber-attack you will also have to comply with the requirements of financial and information regulators, including personal information which may be compromised during the attack. So if you are in an organisation with an IT team, comply with their security requirements. Make sure that documents and valuable data are hard to get at and not easily lost, and that passwords are secure.
What is being done?
There are two strands of activity which may be of interest to you.
The first is that the EU is striving for much more coordination and sharing of information between cyber authorities and agencies of different member states. Whilst this will not stop cyber-attacks as such, it will enable them to be understood more completely – a current problem is that we know little about "the who" and "the how" and precious little more about "the why".
The second is that cyber-attack insurance is becoming increasingly available and is reasonably well priced (although in both cases less so if large levels of cover are required). This, in turn, is due to an increased willingness to insure based upon a better understanding and appreciation of risk – more information is needed but the network security initiatives of the European governments should assuage that problem in time.
What should I do now? The answer is not nothing. Assess your own risk and vulnerability. The following questions might help:
Do you hold data? Probably yes.
Is it valuable? Almost certainly some and possibly all of it, in particular data relating to business strategy, IP and financial information.
If so, then how valuable might your data be to others outside your organisation? The answer will depend upon the kind of data in question.
Are you regulated? You are most certainly regulated by the Information Commissioner but you might also be regulated by the Financial Conduct Authority or equivalent.
Be aware of your company’s policies and follow them. Do those policies cover privacy, detachable media, IT security and internet usage?
Has your organisation thought about insurance? Insurance is available – your premium may depend upon the measures you adopt to protect your business against a cyber-attack. Having a security consultant goes a long way to reducing your premium.
Is there a PR plan in case things go wrong? You should have a reception policy, website policy, remedial policy, reporting policy and draft press releases on hand.
Do you know your organisation’s recovery plan? Make sure you find out about it. You may employ recovery consultants. Do you know who to contact?
Might court proceedings help? Always best to have solicitors on standby with application notices and outline evidence ready, enabling you to act quickly if necessary.
If you would like any more information on the matters raised in this article, appropriate policies and procedures or the legal aspects of cyber security generally, please contact Lee Gluyas ([email protected]) or Ashley Roughton ([email protected]). We will be happy to help.