The true extent of UK data breaches is unknown because most companies do not report them in the absence of data breach notification laws, says global digital risk and investigations firm Stroz Friedberg.
“Even companies hit by cyber attacks do not have a good idea of the threats facing them because they tend to put their heads in the sand,” said Seth Berman, executive managing director at Stroz Friedberg.
Most companies are unwilling to spend money on making sure all vulnerabilities have been eliminated and that attackers have not installed any back doors or other malware on their network.
“Without any incentive in place, there is little reason for companies to carry out full investigations of data breaches to understand fully what happened and why,” Berman told Computer Weekly.
No understanding of risk
Consequently, Berman believes there a lot of UK companies that do not have a good idea of attacks that are going on, nor do they understand how significant the risk is and its potential impact on the business.
Just about every business, no matter how large or small, is at risk from some kind of cyber attack, he said, from the corner kebab shop to multinational companies.
Hacktivist attacks by groups like Anonymous should also be taken into consideration as part of any risk assessment as there is often no clear motivation for such attacks which can be very damaging.
“While the corner kebab shop may not be targeted by state-sponsored advanced persistent attacks (APTs) they may hold credit card information, which could make them a target,” said Berman.
Small to medium-sized companies often hold information that is attractive to cyber criminals, but typically do not have the same cyber defences as larger firms, making them an ideal target, he said.
Another category at risk of not paying enough attention to cyber security is professional services firms, which although they hold a lot of customer information, do not view themselves as data repositories.
“Business risk tends to be about potential malpractice cases, not about data security and potential breaches of sensitive client information,” said Berman.
Smaller firms are a target
For the same reason, legal firms are often a target for attackers looking for company information because they are often less well defended than their client companies.
“People often lose sight of the fact that even small and mid-sized legal firms may store sensitive data about high-profile clients,” said Berman.
As a result, many UK companies are not doing enough advance preparation for cyber attacks, tending to wait for something to happen before taking action.
“Once an attack has taken place, it is too late to start looking for experts who can provide support for responding to and recovering from an incident and providing forensic analysis,” said Berman.
Part of the problem, he said, is that IT teams are so busy keeping systems running that they do not have the time to take a step back and think about securing the data. They also often lack the required skills.
In many companies there is no-one who is dedicated to thinking about security. That, in combination with a reluctance to invest in breach preparation and a lack of threat understanding, leads to failure to act.
Minimum data security standards
Berman believes that like external financial controls, businesses should be subject to external security controls that require them to meet minimum data security standards.
He also believes that mandatory data breach reporting, included in EU proposals for a new data protection framework, will be a good thing if they avoid the pitfalls experienced in the US.
“The EU must be careful about what it defines as sensitive or personal data to prevent the over reporting that tends to happen in the US,” said Berman.
He also supports calls for the EU to rethink the proposed requirement for data breaches to be reported within 24 hours.
“It would be much better if organisations are given enough time to establish exactly what has happened before reporting a breach, because they may find no data was lost despite initial indications,” he said.
The definition of a data breach should also include some element of likely harm, said Berman, with exceptions for things like data that is encrypted.
Berman said UK organisations need to become more pro-active about security and view themselves as custodians of customer data and act accordingly.
Businesses need to see security as a necessary part of doing business and a potential market differentiator, rather than an unnecessary expense, said Berman.