Cyber security is a significant issue now for governments and companies, and will becoming increasingly so for firms as they have to meet legal demands that they act fast and flag up attacks that could have far reaching consequences. The Czech Republic has been off the radar screen for most major hacking attacks so far but security experts warn companies may be caught napping as a result and face very serious consequences.
We’ll begin perhaps with an anecdote. Once upon a time, there was a company offering various types of plastic surgery for men and women – you can probably guess the promises – and it insisted that those interested in getting more details gave their names, addresses, and what they were looking for. Then the company’s IT was hacked, the data disappeared, and the company collapsed soon after. It’s rash attitude to cyber security meant that it basically lost all its reputation, credibility, and customers.
Cyber security is a big issue on the marketplace today. Just think of the ever growing sales over the Internet, development of Internet banking and payments, widening ways of connecting to the Internet, and storage and mining of so-called big data. Bank and credit card companies alone are believed to lose hundreds of millions of dollars form lost data with the overall global cost of cyber crime put by one think tank at just under 600 billion US dollars in 2014.
And it was with that in mind that a sort of wrapping up conference was convened in Prague last week to try and synthesize weeks of discussions about cyber security in the government and private sector and where they overlap and can cooperate.
Jiří Schneider, executive director of the think tank and policy discussion promoter, the Aspen Institute in Prague, raised some of the questions that are now being posed, especially given the Czech government’s push to introduce electronic cash registers to clamp down on tax fraud and the gray economy.
“I see a big issue here in the private and public sector which we are focusing on solving from the inside out.”
“Just two days ago the Internal Revenue System in the United States a breach, a massive breach into its data. It was just yesterday that our parliament, the lower chamber of our parliament, passed a law which enact a system of evidence of all transactions made by businesses. Now the question is who is going to store this data? Are they going to be as secure as the IRS in the US or other data.
“And it raises a whole set of questions we were trying to debate. What is the difference between the accountability performed by business and government in dealing with data and in dealing with cyberspace? What is the responsibility of the government in setting the rules for e-commerce and what are the differences between e-commerce and e-government in dealing with basically the same type of challenges, especially in managing and processing big numbers of data? And what is the national security paradigm as opposed to the business paradigm in dealing with risks. The businesses tend to mitigate the risk, the governments tend to pretend that they have every risk under control, which is not true. And what is the role of insurance in there?”
It’s perhaps appropriate that insurers are mentioned here because one player on the market, AIG, was one of the sponsors of the conference. Cyber security is a risk area where such companies are increasingly present and AIG says it already has 40,000 cyber insurance customers worldwide.
In the Czech Republic the number of major hacks of private companies are fairly small. AIG maps recent attacks and Czech examples include the Internet search engine company Seznam and the game development studio Bohemia Interactive. By far the most attacks are in the US and more lucrative Western markets. But the number can be expected to grow across the world and the role of insurers as well in what is seen as a booming future market.
Even the smallest leak of data or security breach can be very expensive in terms of locating and compensating customers affected, bd publicity, and the repairs and remedies needed to the network. Insurers will also be stepping up the pressure on clients and potential clients to bolster their defences against attack or face punitive payments for policies or a blunt refusal that they be insured.
One of the speakers at the conference was Tibor Soós the Central European manager for the global security company Varonis. He said many security breaches for companies do not come from the outside but rather from the inside and can be blamed on something as simple as human error and lost equipment, such as employees losing mobile phones, which these days can carry an astonishing amount of sensitive information.
“The Internet of things brings another level of threat because it brings a very real danger of physical consequences or damages caused by cyber attacks.”
“They lose their devices or they just get stolen. It represents almost one fifth of all of the attacks which is really, really alarming. The second thing, which is a fourth of all of the attacks. is insider and privilege abuse, so somebody confiscates the access details of internal people or contractors and they spread some malware on the network and gain access to the data, which is really, really critical. And the third, which is the highest number and more than a third of all the breaches is miscellaneous errors, which is all sorts of misleading e-mail messages or just dropped e-mail messages to the wrong people with data inside or information inside which is critical for the organization. So, in a short word, I see a big issue here in the private and public sector which we are focusing on solving from the inside out.”
He had other messages as well to companies, don’t be tempted by cost savings by out sourcing or sub-contracting your IT, data, and security services. If you do, you will still have to check what the sub-contractor is up to. Look carefully at cloud storage and think about such issues as whether all newcomers to the company can get access to almost all of its data.
Another anecdote here, a very high profile and strategic state controlled Czech utility company started to look again at its cyber security and started consultations. But it has sub-contracted out key activities and had to ask for representatives of the sub-contract companies to come along to the talks as well, at least for the early sessions. Spreading your responsibilities and data about does not really make for the best security.
Czech IT expert and member of the Czech Institute of Security Managers, Tomáš Flídr, was another of the conference speakers and he warns that while Czech company defences regarding cyber security may be improving fast there are still many gaping gaps and the dangers and costs of being hacked or breached are soaring. I asked him how big the risk is now for Czech companies which maybe so far have escaped the worst attacks.
“I am not sure if I am objective in this regard because I deal with cyber security daily in my job, so I am naturally a little bit paranoid about that. But I think that the threat is huge and it is ever increasing.
“We have several global problems of cyber security which have not been solved yet and which will be very difficult to solve. From a cyber security perspective we have not yet solved the previous revolution in IT industry which was mobile access. We still have the largest mobile platform operating system which in 90 percent of users run an outdated version of it with known vulnerabilities and ways to exploit such vulnerabilities. They are using their mobile devices to store more and more data. And an even bigger threat is upcoming which is the Internet of things. That is various other devices other than computers connected to the Internet. Unfortunately, the vendors, the producers, of these devices do not often pay any attention to security and if they do they always count the costs and they avoid security by design which is necessary in this field. The Internet of things is particularly dangerous because it may continue in the trend of ever increasing damages caused by cyber attacks.”
One aspect of the growing threat is that key infrastructure, whether state or privately owned, is now reckoned to be at threat from certain types of attacks and that is already pushing governments, private companies, and universities to forge links to develop the defense strategies.
“It really helps when some attacks occur that have wide media coverage.”
“A few years ago the typical malware threat was some fraud with online advertisements. It meant that your browser started to show you unwanted ads. Okay, that was annoying but not particularly dangerous, right. Now we have ransom ware which encrypts your data and demands some money for their decryption. And the Internet of things brings another level of threat because it brings a very real danger of physical consequences or damages caused by cyber attacks. So far there were literally just a couple of examples where cyber attacks caused physical damage but the Internet of things may bring this to another level.”
Ironically, one of the motivations for companies will the increased publicity and costs of sparked by serious cyber attacks. But some companies might not of course learn fast enough. The Ddos attack referred to in the next extract refers to denial of service, basically when a computer system or network is overwhelmed or otherwise made inaccessible to its legitimate user. Tomáš Flídr again:
“It really helps when some attacks occur that have wide media coverage. It was the case recently with the breach of the e-mail of the Czech prime minister. I have my own experience from 2013 where various Czech companies were targeted during one week by at that time huge, today small, Ddos attacks. They basically did not cause any direct damage but were real eye openers for those companies involved to get cyber security stuff done. So, probably the actual attacks are the only thing that can draw the attention of management and those responsible and the public in general to cyber security. But I am afraid that we will have those attacks in increasing numbers and the public will be more and more aware of the need for cyber security.”