Cyber attacks are in the news again and the problem is acute reckons the government’s Cyber Security Breaches Survey 2024. It found that 50 percent of businesses were subjected to a cyberattack or breach in a 12-month period.
By far the most common type of breach or attack is phishing (84 percent of businesses). This is followed by others impersonating organisations in emails or online (35 percent), and then viruses or other malware (17 percent).
Those suffering incidents are faced with costs – on average – of approximately £1,205, but for medium and large businesses, this rose to around £10,830. Of course, ‘average’ means that some losses are lower, but others are much higher – cybersecurity firm Sophos found that the average payment by UK organisations in 2023 was greater than the global average, at $2.1m (dollars).
For automotive, CSO Online reported, in September 2023, that “almost two-thirds of automotive industry leaders believe their supply chain is vulnerable to cyberattacks, with many businesses inadequately prepared.” Indeed, White Hat noted, some six months earlier, that just as Ferrari fell victim to a ransomware attack, there have been others – VW and Audi were both hit by a data breach that exposed details of 3.3m customers, and Renault was struck by WannaCry ransomware.
These organisations are larger than an independent garage, distributor, or factor, but the risk is just the same.
Defining a cyberattack
So, what is a cyberattack? According to Dai Davis, solicitor and partner at Percy Crow Davis & Co, the Wikipedia definition, of “any attempt to expose, alter, disable, destroy, steal or gain information through unauthorized access to or make unauthorized use of an asset… that is a computer information system, computer infrastructure, computer network, or personal computer device,” is one that he agrees with.
He says that it “matches the broad definition of an offence under s1 of the Computer Misuse Act 1990 which criminalises any action that ‘causes a computer to perform any function with intent to secure access to any program or data held in any computer where that access is unauthorised’.”
Roy Isbell, director at Information Assurance Strategies Ltd, agrees. He defines a cyberattack as “fundamentally the interaction of a threat actor with a particular system with the intention of achieving a particular outcome.”
As to where threats originate, Davis says that some are performed by ‘script kiddies’ “who try to hack into systems for fun. For the criminally minded, making money is the goal and they’ll attack anything that pays them to do so. “They may,” says Davis, “send out millions of scam emails in the expectation that only a few people will fall for the con, alternatively they may target a particular ‘rich’ target but in a more subtle, considered manner.”
Of course, at the extreme, states such as China, Russia and North Korea attack companies to steal technology.
Worryingly, as Isbell points out, COVID altered the landscape somewhat because “we now have a more distributed business model with some workers working from home, often on shared networks with only limited security implemented.”
And Davis has found that any newsworthy topic may be used to persuade a staff member or individual to click on a link that will take them to a compromised website.
Security is a relative term
No system is perfect. But Davis knows “that the amount of effort it takes to breach a system is proportional to the amount of effort taken to secure the site in the first place.”
Moving on, Isbell says that a security breach is not a single event or tool, but a combination of knowledge, skills and intelligence used in sequence to achieve the outcome the threat actor wants to achieve.”
For him, the only way to achieve 100% security is for a system to be disconnected from the internet. He emphasises that cyber security is about managing risk – “this requires that we spend time evaluating and understanding the cyber environment and what it is we need to protect; it is not always the data that requires protection, but the systems themselves, especially where the system is deemed critical.”
Countering threats
As both Isbell and Davis detail, there is no easy way to counter cyber threats.
Apart from an organisation’s own systems, Isbell would also look at its supply chain, “especially where processes may share data between firms.” For him, “an understanding of the firm’s cyber ecosystem is essential… and not just focussed on the data that resides on the various IT systems it may have.”
Davis, on the other hand, would create a budget and bring in an independent consultant. He cautions against placing too much reliance on specific security products, “many of which are good, but which solve only the security issue that the particular vendor advertises.”
Staff training is something else to consider. But as Davis warns, “training needs to be regular. There is little point in only training during induction week… staff may be sent a malicious email containing a spurious link at any time.”
Isbell too values training. He says that “the most efficient and well understood security environments I have witnessed are where the company has worked to develop security as part of the culture of the organisation.”
And then there’s the option of placing a warning on every email staff members receive warning them if an email has come from an external source and that it may be malicious. But on this Davis thinks that “it is likely to be ignored as the staff member is anxious to read the email not the header.”
Crucially, Isbell recommends including cyber security breaches as part of disaster recovery planning: “Whilst some firms have been unable to continue after a cyberattack, those that had a robust incident response plan have not only been able to recover but recovered faster and minimised the overall impact on the business.”
The risks from doing nothing
Those that do nothing, and suffer an attack, risk legal fallout. Davis points to fines under the civil part of GDPR – the General Data Protection Regulations. He says that the probability of a fine is tiny, but the risk of criminal sanction under the GDPR is not: “Criminals, like regulators, have limited budgets and look for ‘low hanging fruit’. If you can make your business more secure than that of your competitors, it will be enough to persuade some criminals to look elsewhere for a softer target.”
Beyond that, Isbell says that apart from implementing security, firms should have “some form of monitoring… if none is implemented, the firm will not know it has been breached until the breach is made public.” When this happens, there comes a natural question – “who would trust an organisation that does not take security seriously?”
And then there’s the risk of corporate failure…
Go to comments