Hackers: can you protect your business from ‘the crime of our era’?

29 October 2015 -

TalkTalk is the latest high-profile name to fall victim to hackers as UK businesses are subjected to 625,000 cyber attacks a month. Can you do anything to protect yourself?

Jermaine Haughton

TalkTalk may be facing its biggest challenge to date. Not only does chief executive Dido Harding face tough decisions on how to maintain and maximise the internet service provider’s profit margins (it’s up against larger rivals BT and Virgin), but TalkTalk will almost certainly have to overhaul its cyber security systems and policies following the recent data breach.

As the Metropolitan Police’s investigation into the cause of the cyber attack on TalkTalk’s website led officers to a working-class industrial town in Northern Ireland, TalkTalk’s management have been engaged in a face-saving mission to curb the financial and reputational damage caused to its brand. Harding has been praised for quickly fronting up to the media as the company launched its crisis management plan.

Millions were wiped off its share value after TalkTalk publicly revealed on Thursday that the bank details and personal information of its four million customers may have been accessed. Hackers reportedly distracted the company’s IT staff with a distributed denial of service attack, which forced TalkTalk’s website to shut down with the bombardment of traffic; they then initiated a breach of its firewalls to access company-specific information.

After a few days of near-apocalyptic warnings, TalkTalk was able to report that the breach was “smaller” than initially feared, and that the cyberbreach had not penetrated the firm’s core system. Therefore, customers were told that they were highly unlikely to suffer financial loss but were warned to be vigilant to receiving more targeted phishing emails and scam communications.

“The awful truth is that every company, every organisation in the UK needs to spend more money and put more focus on cyber security - it's the crime of our era,” TalkTalk CEO Dido Harding told the Daily Telegraph.

TalkTalk is not alone; this attack is just the latest in a string of hacks that have hit some the world’s biggest brands, raising many questions about how secure information really is once it is placed on the World Wide Web.

Sony Corporation was at the centre of an international hacking scandal as a series of attacks on its systems last November culminated in an anonymous threat of September 11-style attacks on cinemas if they screened the movie studio’s new film The Interview, a comedy about a plot to assassinate North Korean ruler Kim Jong Un.

The film, directed by Seth Rogen and Evan Goldberg, was set to be opened across the US last Christmas, but the “vicious” attack forced the FBI to launch investigations, the cinema release of the movie to be dropped and further sanctions to be applied to North Korea – who secret service officials pointed to as the originators of the attack.

“Online affairs” website AshleyMadison.com also experienced a severe data breach earlier this year by the self-proclaimed Impact Team, who released the company’s stolen user databases, leaked maps of internal company servers, employee network account information, company bank account data and salary information.

The effects were grim. The secretive nature of the site, connecting married individuals who would like to have extra-marital affairs, has led the leak to be linked to several subsequent suicides, including Texas police officer Michael Gorhum who took his own life just days after his official San Antonio city email was published as part of the Ashley Madison hack.

Can anything be done?

In a television interview, TalkTalk’s Harding asked: “Can our defences be stronger? Absolutely. Can every company’s defences be stronger?” before pointing out that there were 625,000 cyber offences each month in the UK during the summer. GCHQ, the cyber espionage branch of the British secret services has said the number of cyber attacks is on the increase.

Politicians, business leaders and cyber experts have all urged for concerted action to be taken both in Parliament and in boardrooms to secure Britain’s cyber security networks.

The Institute of Directors senior corporate governance adviser Oliver Parry urged the police to make cyber-crime an "urgent priority and investigate theft of data just as it would theft of physical property". Former home office minister Hazel Blears said the TalkTalk data breach was "a wake-up call", adding that further regulation is needed "because this is probably the biggest threat to our economy".

A report this year from PwC found that 90% of Britain’s large-scale companies had been hit by security breaches. Richard Horne, PwC’s cyber security Partner, explained: “All organisations depend on digital processes, data and systems. This makes them increasingly vulnerable to being manipulated. Cyber security is about ensuring your business is resilient to that manipulation to prevent fraud, theft of sensitive data or business disruption, and the severe risks to reputation that comes with that.

“It requires the whole organisation to pull together to protect its future and the wellbeing of those it interacts with. Organisations should not be in fear of the threat; they just need to be confident in their ability to manage the risk.”

While these are treacherous and technical waters, there are some lessons for business leaders who want to reduce the risk of becoming the next victim of cyber criminals.

1. Understand the potential threats

Preparation is the key to limiting and deterring the threat of cyber attacks. Managers should be constantly reviewing any internal and external vulnerabilities in their business web systems, such as any easy entry points for hackers.

To do this, managers and employees should know the different forms of cyber attack, including social engineering, malware and systems hacking.

2. Integrate the cyber security policy within the corporate culture

Web and IT security is no longer just for the computer geeks. Cyber security policies must permeate throughout every process and decision with a company. From using complex, unique passwords to backing up files correctly, employees should be educated on the suitable warning signs, safe practices and reactions to a suspected attack.

3. Practise an incident response plan

Having a ‘go-to’ plan of action for responding to a cyber incident is essential to limiting the damage of an attack. Also, working together with government agencies, regulators and rival companies, by sharing knowledge about threats can help prepare each firm to successful avoid data breaches.