The TalkTalk cyberattack in the last week is just the latest in a litany of data breaches at large and small companies alike. This is the third hack on TalkTalk in 2015 alone and a survey of UK companies in 2015 found that in the past year 74% of small businesses and 90% of large ones had suffered a cyber breach. While in 2014, the so-called ‘Heartbleed’ bug, allowed hackers to steal passwords, credit card details, encryption keys and other sensitive data, without leaving any trace from some of the web’s largest sites, including Facebook, Google, Yahoo and Amazon.
Percent of small and large companies surveyed who had a cybersecurity breach in the past year, 2013-2015
Our increasing reliance on internet-connected devices has been accompanied by the development of a new set of cyber threats and it seems to be the case that the question is not if, but when, the next hack happens.
So what steps can the Government take to support better cybersecurity protocols and what is the industry doing to protect itself against future hacks.
Zero-day vulnerabilities are one of the most serious cybersecurity threats confronting companies today. A zero-day vulnerability refers to a hole in software that is unknown to the software vendor. If hackers and cybercriminals discover a zero-day vulnerability, they may exploit the security hole in what are known as zero-day attacks. This is a rapid attack that takes place before the security community or the software vendor knows about the vulnerability or has been able to repair it. This window can last days, weeks, months or even in exceptional cases years. And as many companies and websites use the same software, this vulnerability can leave many companies and several different websites open to attack.
Preventing a zero-day attack is difficult because those vulnerabilities are by definition unknown to software vendors and the wider security community. As a result, companies require tools that will protect them against both known and unknown vulnerabilities.
The ‘Heartbleed’ bug in 2014 exposed a zero-day vulnerability in software used by almost two thirds of all websites. The ‘bug’ was introduced to OpenSSL—open source software designed to encrypt communications between a user’s computer and a web server—in December 2011 and was vulnerable to hacks from 14 March 2012 until a software patch fixing the bug was released on 7 April 2014. This patch did not arrive before many people’s credit card details, encryption keys and other sensitive data was hacked, revealed and likely traded online on the ‘dark web’.
Disseminating best practice: The Government’s ‘Cybersecurity kitemark’
The central plank of this, and the previous, Government’s strategy for boosting the take-up and understanding of cybersecurity issues in both the public and private sector is the National Cyber Security Strategy.
As a part of this strategy, the previous Government established both the Cyber Security Information Sharing Partnership (CiSP) (a joint industry government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and reduce the impact on UK business) and introduced a “cybersecurity kitemark” for firms that do business with the Government.
The kitemark is intended to stimulate the adoption of good cyber practices among business and help them to better understand how to protect themselves. The ultimate aim is for the kitemark to increase the nation’s collective cyber security. As of the end of February this year, 333 organisations had achieved Cyber Essentials accreditation and 72 had achieved Cyber Essentials Plus accreditation.
Since the launch of the cyber security strategy, awareness and preparedness of cybersecurity issues has grown. This is seen in the results of the most recent cyber governance health check, which assesses and reports on levels of cybersecurity awareness and preparedness across the FTSE 350. In August 2013, the first cyber governance health check, showed that only 25% of companies considered cyber a top risk and just 56% had cyber on their risk register. While the results for 2014, showed that 88% of companies now have cyber on their risk register and 30% of boards received regular high level cyber security intelligence from their CIO or Head of Security, up from 18% the year before.
Cyber re: Can you insure against cyber losses?
Cyber risks are hard to model and unusually systemic. As the Financial Times puts it: ”A vulnerability in widely-used software or internet architecture can bring down systems globally, putting the industry on the hook for simultaneous, multibillion-dollar payouts.” This means that while cyber insurance policies do exist, they charge high premiums.
The cyber insurance policies that do exist provide cover for losses relating to damage to, or loss of information from, IT systems and networks and generally include significant assistance with and management of the incident itself, which can be essential when faced with reputational damage or regulatory enforcement.
Because of the unpredictable, systemic high risks posed by cyber, there have been recent suggestions to establish a ‘Cyber Re scheme’ modelled on the UK’s state-backed Pool Re scheme for terrorism cover. Indeed, Stephen Catlin, the founder of the Catlin Group (the largest Lloyd’s of London insurer), told an insurance industry conference in February 2015 that cyberattacks are so dangerous to global businesses that Governments should step in to cover the risks. These fears are to an extent supported by the findings of a March 2015 report which looked at joint initiatives between government and the insurance sector to tackle cyber risk. This report estimated that, in 2014, the global exposure of the insurance industry to cyber risk stood at around £100 billion and that in 3-5 years’ time the industry possible maximum loss for cyber risks could exceed the global insurance/reinsurance capacity available for other aggregating events, such as nuclear disaster (£3 billion) or natural catastrophe £65 billion.
Stephen Catlin argued that managing such large systemic cyber liabilities was a job for Governments. But there is currently no suggestion that the Government has any plans to take this forward.