Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Cyberwarfare

UK banks and financial market infrastructures have experienced cyber attacks

In the Bank of England’s 2013 H2 Systemic Risk Survey Banks and Financial organisation highlighted operational risk as one of the main risks to UK financial stability.

The majority of the respondents cited cyber-attacks from individuals or groups seeking to exploit vulnerabilities in IT systems for financial gain or to disrupt services as a significant threat.

The report states In the past six months, several UK banks and financial market infrastructures have experienced cyber attacks, some of which have disrupted services. While losses have been small relative to UK banks’ operational risk capital requirements, they have revealed vulnerabilities. If these vulnerabilities were exploited to disrupt services, then the cost to the financial system could be significant and borne by a large number of institutions

In June 2013 the bank of England said:

HM Treasury, working with the relevant government agencies, the PRA, the Bank’s financial market infrastructure supervisors and the FCA should work with the core UK financial system and its infrastructure to put in place a programme of work to improve and test resilience to cyber attack

Perceived Risks from Cyber Attacks have risen strongly

Bank of England Chart

HM Treasury, other government agencies and financial authorities have formed a Cross Market Operational Resilience Group who will work to assess, test and improve cyber resilience across the core parts of the UK financial sector.

On the 12 November, under the supervision of the Cross Market Operational Resilience Group, an exercise called Waking Shark II took place to test the financial sector’s response to a sustained and intensive cyber attack It was an industry led exercise; supported by HM Treasury, the Bank of England and the FCA and several other government agencies. The report on the outcomes and lessons will be issued in early 2014.

Advertisements

The average cost of a data breach is $8.9m in the US and £2.1m in the UK

The results of the Ponemon 2012 Cost of Cyber Crime Study for the United States, United Kingdom, Germany, Australia and Japan. For the purposes of this post I have summarised the United States and the United Kingdom.

The study, sponsored by HP Enterprise Security, focused on organizations located in the United States and the United Kingdom many are multinational corporations.

Cyber-attacks generally refer to criminal activity conducted via the Internet. These attacks can include stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on other computers, posting confidential business information on the Internet and disrupting a country’s critical national infrastructure. Consistent with the previous two studies, the loss or misuse of information is the most significant consequence of a cyber-attack. Based on these findings, organizations need to be more vigilant in protecting their most sensitive and confidential information. 

  • The median annualised cost for 38 UK benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company.
  • The median annualized cost for 56 US benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. 

UK Summary

Cybercrimes are costly. The study found that the median annualised cost for 38 benchmarked organisations is £2.1 million per year, with a range from £.4 million to £7.7 million each year per company. 

Cybercrime cost varies by organisational size. Results reveal a positive relationship between organisational size (as measured by enterprise seats) and annualised cost. However, based on enterprise seats, Ponemon determined that smaller-sized organisations incur a significantly higher per capita cost than larger-sized organisations (£399 versus £89). 

All industries fall victim to cybercrime, but to different degrees. The average annualised cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organisations in hospitality, retail and education. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 41 successful attacks per week, or about 1.1 successful attacks per organisation. 

The most costly cybercrimes are those caused by malicious insider, denial of service and malicious code. These account for more than 44% of all cybercrime costs per organisation on an annual basis. Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, application security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organisational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organisations of £135,744 over this 24-day period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Disruption to business processes and revenue losses represent the highest external costs. This is followed by theft of information assets. On an annualised basis, disruption to business or lost productivity account for 38% of external costs. Costs associated with revenue losses and theft of information assets represents 53% of external costs. 

Recovery and detection are the most costly internal activities. On an annualised basis, recovery and detection combined account for 55% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of £.4 million when compared to companies not deploying security intelligence technologies. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that have adequate resources, appoint a high-level security leader, and employ certified or expert staff experience cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than £.3 million, on average. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organisation’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organisation is in achieving its security objectives. The average cost to mitigate a cyber-attack for organisations with a high SES is substantially lower than organisations with a low SES score.

Summary of US findings

Cybercrimes continue to be very costly for organizations. Ponemon found that the median annualized cost for 56 benchmarked organizations is $8.9 million per year, with a range from $1.4 million to $46 million each year per company. Last year’s median cost per benchmarked organization was $8.4 million. Ponemon observe a $500,000 (6%) increase in median values. 

Cybercrime cost varies by organizational size. Results reveal a positive relationship between organizational size (as measured by enterprise seats) and annualized cost. However, based on enterprise seats, Ponemon determined that small organizations incur a significantly higher per capita cost than larger organizations ($1,324 versus $305). 

All industries fall victim to cybercrime, but to different degrees. The average annualized cost of cybercrime appears to vary by industry segment, where defence, utilities and energy and financial service companies experience higher costs than organizations in retail, hospitality and consumer products. 

Cybercrimes are intrusive and common occurrences. The companies participating in our study experienced 102 successful attacks per week – or 1.8 successful attacks per organization. In last year’s study, an average of 72 successful attacks occurred per week. 

The most costly cybercrimes are those caused by denial of service, malicious insider and web-based attacks. This account for more than 58% of all cybercrime costs per organization on an annual basis.4 Mitigation of such attacks requires enabling technologies such as SIEM, intrusion prevention systems, applications security testing solutions and enterprise GRC solutions. 

Cyber-attacks can get costly if not resolved quickly. Results show a positive relationship between the time to contain an attack and organizational cost. The average time to resolve a cyber-attack was 24 days, with an average cost to participating organizations of $591,780 during this 24-day period. This represents a 42% increase from last year’s estimated average cost of $415,748, which was based upon an 18-day resolution period. Results show that malicious insider attacks can take more than 50 days on average to contain. 

Information theft continues to represent the highest external cost, followed by the costs associated with business disruption. On an annualized basis, information theft accounts for 44% of total external costs (up 4% from 2011). Costs associated with disruption to business or lost productivity account for 30% of external costs (up 1% from 2011). 

Recovery and detection are the most costly internal activities. On an annualized basis, recovery and detection combined account for 47% of the total internal activity cost with cash outlays and labour representing the majority of these costs. 

Deployment of security intelligence systems makes a difference. The cost of cybercrime is moderated by the use of security intelligence systems (including SIEM). Findings suggest companies using security intelligence technologies were more efficient in detecting and containing cyber-attacks. As a result, these companies enjoyed an average cost savings of $1.6 million when compared to companies not deploying security intelligence technologies. 

A strong security posture moderates the cost of cyber-attacks. Ponemon utilize a well-known metric called the Security Effectiveness Score (SES) to define an organization’s ability to achieve reasonable security objectives. The higher the SES, the more effective the organization is in achieving its security objectives. The average cost to mitigate a cyber-attack for organizations with a high SES is substantially lower than organizations with a low SES score. 

Deployment of enterprise security governance practices moderates the cost of cybercrime. Findings show companies that invest in adequate resources, appoint a high-level security leader, and employ certified or expert staff have cybercrime costs that are lower than companies that have not implemented these practices. This so-called “cost savings” for companies deploying good security governance practices is estimated at more than $1 million, on average. 

UK report is here – registration is required. 

US report is here  – registration is required.

.

90 Percent of Businesses Fell Victim to a Cyber Security Breach

The Ponemon Institute has released the the results of a study conducted to determine what IT and IT security practitioners in the US, UK, France and Germany think about how well their organizations are responding to threats against network security. Sponsored by Juniper Networks, they believe the research is important because “it can provide insights from those who are dealing daily with the prevention and detection of these attacks. Specifically, what do they think about the current threat landscape and what are the most effective strategies to keep networks secure”.

Some of the topics addressed include:

  • Are threats to network security increasing in frequency and sophistication?
  • Is their organization’s IT infrastructure secure enough to prevent successful attacks?
  • What is the nature of the attacks and are the attackers and attack vectors known?
  • Do organizations see complexity as a barrier to effective enterprise-wide network security?

They surveyed 583 IT and IT security practitioners in there US with an average of 9.57 years of experience. More than half (51 percent) are employed by organizations with more than 5,000 employees.

The study found the number of successful network security breaches over the past 12 months were:

None 10%
1 time 21%
2 to 3 Times 32%
4 to 5 Times 18%
More than 5 times 9%
Cannot determine 10%

Some of the most salient findings are as follows:

The financial impact of a security breach can be severe. According to 41% of respondents, the financial impact of these breaches was $500,000 or more. However, 16% cannot determine the amount. Respondents were asked to consider cash outlays, internal labor, overhead, business disruption, revenue losses and other expenses.

Security breaches most often occur at off-site locations but the origin is not often known. Mobile devices and outsourcing to third parties or business partners seem to be putting organizations at the most risk for a security breach. 28% say the breaches occurred remotely and 27% say it was at a third party or business partner location.

Attacks are coming from external agents but insider abuse is prevalent. External agents and insiders (employees) are most commonly behind the security breaches according to 55% and 49% of respondents, respectively. Respondents also report that multiple sources can be blamed for the breaches.

Employee mobile devices and laptops are seen as the most likely endpoint from which serious cyber attacks are unleashed against a company. 34% of respondents say attacks occurred from infected laptops or remotely due to an employee’s insecure mobile device. Further, the top two endpoints from which these breaches occurred are employees’ laptop computers (34%) and employees’ mobile devices (29%). 28% say it is employees’ desktop computers.

Complexity and availability of resources are the most serious challenges to combating cyber attacks. 48% cite complexity as one of their biggest challenges to implementing network security solutions. The same percentage of respondents 48% says it is resource constraints. These challenges are followed by lack of employee awareness, which contributes to the insider risk. In addition to simplifying their security operations and increasing available resources, organizations should consider the importance of training and awareness.

Attacks are becoming more frequent and severe. IT practitioners in the study are worried about continuing and more serious attacks. 78% of respondents say there has been a significant increase in the frequency of cyber attacks during the 12 months, and 77% say these attacks have become more severe or difficult to detect, or contain.

Given the current threat landscape, organizations should make prevention and detection of security breaches a primary focus. Only 32% of respondents say their primary focus or approach to network security is on preventing attacks. 16% say it is on fast detection and containment and 15% say it is on network intelligence. 23% say their network security strategy is to baseline their approach against best practices and 14% say it is IT governance.

Ponemon’s Conclusions

They believe their research provides evidence that many organizations are lacking the right strategy to prevent cyber attacks against networks and enterprise systems. Their study suggests conventional network security methods need to improve in order to curtail internal and external threats.

They believe organizations should consider incorporating the following recommendations in their network security strategy:

  • Understand the risk employees’ mobile devices create in the workplace. In addition to problems created when inappropriately being connected to the network, breaches involving lost or stolen laptop computers or other mobile data-bearing devices remain a consistent and expensive threat. According to Ponemon Institute’s 2010 Annual Cost of a Data Breach Study, 35 percent of organizations report that a lost or stolen mobile device caused the data breach they experienced.
  • Create a comprehensive policy (including detailed guidelines) for all employees and contractors who use mobile devices in the workplace. The policy should address the risks associated with each device and the security procedures that should be followed. Guidelines can range from such topics as to what types of data should not be stored on these devices, how to determine if an application can be safely downloaded and how to report a lost or stolen device.
  • Improve ability through expertise and enabling technologies to detect and prevent breaches. Understanding the source of the breaches can help organizations strengthen their cyber security strategy.
  • Address the insider threat through the creation of an enterprise wide security policy that includes the responsibilities of employees to help protect network security. The policy should be easily accessible. In addition, there should be a training and awareness program to ensure employees understand the various risks to the network and how they can contribute to preventing security breaches.
  • Complexity is recognized as a barrier to effective network security strategy. Organizations should assess their current procedures and technologies to understand how best to streamline their approach and have an end-to-end (holistic) approach to network security. The studies consistently show that the cost of cyber attacks is increasing. Reducing an organization’s vulnerability to such attacks through the combination of proper staffing, enabling technologies and training programs can help prevent the pattern of multiple breaches experienced by so many in our study.

The full study can be downloaded here

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: