Companies can reduce damage of global cyber attack

Andy jalil – andyjalil@aol.com – Cybercrime is on the increase but there is a great deal that can be done to lessen its impact — starting with making life a lot harder for the criminals themselves. The world has seen regular cyber attacks and the danger continues to remain. International Director of the PCI (Payment Card Industry) Security Standards Council, Jeremy King, is most concerned and he is well equipped to advise on this.
Travelling around the world and talking to companies across the UK, US and Africa, he hears the same story: companies are the targets of cyber attacks. He said: “The criminals are very well organised, they are global and they share details about how to attack.
There has been a massive rise in cybercrime, starting from e-commerce to phishing, malware and ransomware.”
The biggest problem, according to King, is that CEOs either believe that their company would never be a target, or consider cyber security to be a mere IT matter, without realising that everyone who has access to their system is a possible weak spot. Only one person has to press a wrong button for an attack to begin. King said: “Companies need the right security practices and processes, but above all the employees need the right tools and training. People still have terrible passwords like ‘password1’ or ‘123456’ and the criminals know this. We also put too much information about ourselves on social media, so we make it easy for criminals to attack.”
High profile attacks: There have certainly been some high profile attacks. Last year there was a security breach on the e-commerce platform Magento, while in May this year there was a global WannaCry attack, infecting more than 230,000 computers in over 150 countries. The UK’s National Health Service (NHS), Spain’s Telefonica and Deutsche Bahn were just some of those affected, before it was halted by an English web security researcher, who discovered a kill switch.
“What happened was that, malware came in and encrypted everything,” King said. “In the financial world we’ve been using encryption for years, but now the criminals have realised what we were doing and turned it against us. And the invention of Bitcoin has helped: it’s hard to trace and easy to use.” It is also becoming apparent that the targets were often not involved with payment data, for example — the NHS — which meant they would have been less aware of the potential threat of an attack.
Combating fraud: One way for companies to combat fraud is to adopt and implement the PCI-DSS (Data Security Standard) and to understand the issues involved. “How many people have access to your website?” King asks, “How many people have access to payment data? Where does that data go? Restricting access to employees that don’t need everything on the system might be a start.”
Implementing the absolutely basic steps would have a huge impact, for example 81 per cent of hacking-related breaches leveraged either stolen and/or weak passwords.
The criminals are well organised but they are not necessarily super-sophisticated and as King reiterates, we have been making it too easy for them.
But beyond the basics there is much more a company can do: improving network security, installing firewalls, limiting system access and protecting data by using encryption. From May 2018 the UK will adopt the EU’s General Data Protection Regulation (GDPR) which will not be affected by Brexit and is intended to strengthen and unify data protection for all individuals in the EU.
Protecting smaller businesses: While most of the above affects big business, small businesses can be targets of cybercrime too. “There are one million small merchants in the UK that accept payments and they don’t have the level of expertise that larger companies with IT departments do,” says King.
“The PCI Security Standards Council is simplifying our advice and instructions. We have resources available on PCISSC.org that are specifically aimed at smaller businesses and we are linking up with other organisations such as the British Independent Retailers Association to raise awareness that these tools are available.”
“What every company, large or small should do, is to establish an incident response plan and then stress test it. It might fall apart in five minutes but at least you can do something about it. It is the best way to reduce the impact of the breach,” says King.