By Alice Pearce on 31 Oct 2015
We all tend to be blasé about security until we’re attacked. Whether it’s your personal possessions, your home, your website, or your servers – we find it natural to be open and generous until the attacker strikes, then, feeling violated we finally put up alarms and defences, and wonder why on earth we didn’t take reasonable precautions in advance.
Over recent months we’ve had an increase in requests for our vulnerability testing service. Often these requests have come after the proverbial horse has bolted, so we are increasing our focus on this area in client communications to remind everyone of the importance of acting before rather than after the event.
Small to medium sized business most at risk
Headlines are usually grabbed by big brand companies who experience breaches, but those most at risk are actually small to medium sized businesses, with 60% of all targeted attacks being aimed at smaller companies. Government statistics show 74% of small to medium sized businesses reported a security breach in the year to June 2015 and the average cost of the worst breaches to SMEs was between £75,000 and £310,800.
When diverted resources, customer loss, brand damage and shareholder value are taken into account the impact of a major breach can prove a fatal blow. Competing priorities for tight financial resources can also make it more difficult for smaller businesses to channel efforts towards security in the first place – and of course cyber-attackers know this and are keen to exploit it.
The attackers themselves are becoming increasingly sophisticated and targeted in their approach, doing their research into vulnerabilities and acting very quickly to exploit opportunities. This leaves the security industry playing catch-up so it is more important than ever to focus on planning and testing rather than reaction.
According to Symantec, in September alone, 38.5 million new pieces of malware were created and ten zero-day vulnerabilities were disclosed. Over the period from October 2014 to July 2015, typically one or two zero-day vulnerabilities each month were disclosed, but this rose to eleven in August and ten in September, and in October, Adobe Flash was hit yet again with a zero-day exploit.
On the upside, the cumulative new and updated product vulnerabilities has fallen for the first time in years which Cisco puts down to a growing attention to software testing on the part of vendors and improved development lifecycles – making a great case for devops, with its focus on frequent releases and automated testing.
While it might seem that the headline hitting 2014 zero-day attacks, Heartbleed and Shellshock were quickly dealt with, in fact the top five such attacks in 2014 were actively used by attackers for a combined 295 days. Attackers surged to exploit the Heartbleed vulnerability within four hours of it becoming public, while vendors reacted much more slowly to create and issue patches. This is where a web app firewall can help stop attacks before patches are available.
Increased automation of patch deployment by Adobe and Microsoft who have historically been slow in releases, has simply led attackers to shift their tactics. Attackers are increasingly working on vulnerability research, trawling through applications to find vulnerabilities in areas considered to be secure. Shellshock is an example of this, where a twenty five year old vulnerability was discovered and publicised and attackers weighed in within hours.
Good security processes are the best defence
The WhiteHat Security Statistics Report 2015 analysed data from their security product, Sentinel, as well as a customer survey. They found in their research of 30,000 websites, that 86% had at least one serious vulnerability and 56% had more than one, in many cases far more than one.
WhiteHat’s takeaway from the exercise was that vulnerabilities are plentiful and they stay open for weeks or months. They found that it isn’t the programming language, the development processes employed, the industry vertical, or the size of the organization that really determine the poorer or better performing sites or companies in terms of security. It is the ones with good security processes and admin in place who also share their findings openly with the wider business who score best. They believe that visibility and accountability are key.
Impacts of Cyber-attacks on UK businesses
A 2014 study by Oxford Economics and the Ponemon Institute looked at the impacts of state-sponsored cyber-attacks on UK companies. It makes fascinating reading, looking at questions such as why countries become involved in illegal activities in the first place. They surveyed 427 IT professionals, mainly from large companies, with less than 10% having revenues under £20m; but it’s not hard to extrapolate the impacts for smaller businesses.
The survey didn’t limit itself to state-sponsored attacks, but looked at cyber-attacks overall and 60% of the companies surveyed had experienced some sort of cyber attack within the previous 12 months. Not surprisingly, they found the greatest cost to UK companies was reputational damage, but 20% of companies also suffered losses of IP or commercially sensitive data and 59% of those companies reported that this had led to a loss of competitive advantage.
The costs reported included clean-up/remediation, lost productivity, disruption to operations, reputational/branding loss and damage/theft of IT. For these large businesses they were reporting losses over these areas in £millions and even after adjusting for outliers the numbers were still close to £1m. If you run those calculations for more modest turnovers, they could easily be found to be unbearable.
When you consider these findings in conjunction with Symantec’s report that small to medium sized businesses are most at risk, the implications are significant.
To try to understand the financial impact of reputational losses, Oxford Economics looked at the stock market returns for larger companies and found a correlation that led them to conclude that investment in IT security to prevent cyber-attacks may maintain shareholder value for these companies.
The majority of respondents spent 10% of IT budget on security which was a significant increase since the previous year, however the challenge of making the case for funding to the rest of the business was a common theme. Any reader struggling with a similar problem could find great help in making their business case from studying the report in detail (link below).
The Criminal Value of Data
TechCrunch published a really good article in October giving an insight into data breaches from the criminal perspective, covering how much data is worth and how the market in it works. They report that the value of data depreciates very quickly after a breach since data needs to be exploited before the victims take protective action. This clearly shows the importance of advising customers rapidly following a breach, rather than finding yourself in the situation TalkTalk recently experienced.
At EveryCity we are able to support our customers with a range of security services, many at no additional cost, call or email us for further information.