A government backed report published this month claims that that two-thirds of big UK businesses have been hit by a cyber attack in the past year. A quarter of these firms experienced a cyber breach at least once a month. In some cases the internet-linked attacks cost millions of pounds. But more alarming, according to the Cyber Security Breaches Survey 2016, was that that seven out of 10 attacks could have been prevented.
The UK Government is investing £1.9bn over the next five years to tackle and prevent cyber crime, and a new National Cyber Security Centre will offer businesses security support. From personal experience of working with and as part of a variety of companies from different sectors, many companies are still unaware of any external penetration of their systems. In this case, ignorance is not “bliss”. The reality is that companies, whether listed or private, could do far more.
From a commercial point of view, intellectual property is valueless except in its application. But to the person who steals IP, whether through the Internet or through another medium, considerable advantages can accrue. That person can save themselves time and money in developing the same thing, and – dependent on the jurisdiction in which they operate and the chances of being caught – can make money through applying the stolen IP commercially. For the out-and-out criminal, theft of data through hacking can include client and banking details. In all such cases the incentives to criminals can be considerable, so the problem is not going to go away.
The post of Information Commissioner here in the United Kingdom was established in 1984 to act an independent watchdog to ensure that companies operating in this country guard client information more carefully. Since 2010, it has handed out nearly £6 million in fines for breaches to the Data Protection Act (the largest was for £250,000 to Sony PlayStation). The number of monetary penalty notices the ICO has issued has grown alarmingly each year and the fines that it is authorised to levy have increased. But many firms in Britain remain ignorant of this development.
There are some simple precautions that can be put in place by all companies, which in many cases cost nothing. For example, getting employees to leave their mobile telephones outside conference rooms when contracts, strategy or technological developments are to be discussed is an easy measure that will prevent the possibility of a mobile telephone, even when switched off, from being activated as a microphone by a hostile party. Similarly, it makes good sense for pursuit teams negotiating deals overseas not to discuss progress with head office on their mobile telephones as their calls can easily be monitored to the detriment of their negotiating position. In China, the practice of monitoring mobile phones is so easy and pervasive that than an industry has grown around firms sending out text messages offering to check up if spouses are having affairs by the recipient simply supplying the suspected spouse’s mobile number. Such a message actually popped up on a colleague’s screen when I was sitting with my company lawyer at a café in Shanghai.
A determined and well-resourced hacker, operating independently or on behalf of hostile commercial or government entities, can penetrate even well protected sites given time and persistence. Companies need to decide what are the real ‘crown jewels’ that must be protected – accepting that much of the rest will be vulnerable – without ever giving the hacker free rein.
Companies can and should do much more to educate their employees at all levels to safeguard sensitive information more carefully. But it begs the question as to whether and how the government should help companies. Some plain homespun advice would go a long way – and that costs little.