Big business is at greater risk of cyber attack
The number of cyber criminals targeting UK corporates rose sharply during 2011, according to new figures.
Cyber attacks are now a high-level concern for government and business leaders for the cost and disruption they cause, and because they regularly target suppliers of critical infrastructure like electrical grids, gas and oil.
The study of 447 UK businesses by PwC found that large organisations on average suffered 54 significant attacks in 2011, twice the level of 2010. Large companies now face an outsider attack every week, the consultancy claims.
The increase represents a rising cost to business. Companies’ single worst security breach of the year cost between £110,000-£250,000 for large businesses and £15,000-£30,000 for small ones.
Separately, figures released by the FSA show that UK companies reported 185 breaches during the three months of June, July and August 2011. However, because reporting breaches is voluntary in the UK, the actual number of cyber attacks for the period is thought to be much higher.
The fact that the UK Department for Business, Innovation and Skills supported the PwC survey demonstrates how important the issue is to government.
Cyber criminals seek to attack companies with valuable digital assets. In addition, direct action groups target organisations that they believe are acting unethically. More sinister still are the attacks by nation states on one another. The world’s most sophisticated cyber crimes are funded and co-ordinated by governments.
The emergence of cyber attacks as a threat to UK corporates
Cyber attack tool kit
Who’s attacking businesses and how they are fighting back
Digital activists known as ‘hacktivists’ are purportedly driven by political or ethical values. Hacker group Anonymous attacked PayPal and MasterCard when they pulled their services from WikiLeaks over the affair of the leaked US embassy cables in November 2010. LulzSec (short for Lulz Security) is a splinter group of Anonymous.
Disgruntled employees who may have insider information are also potential cyber threats to corporates. Competitors - who have always been motivated to gain insider information on their corporate counterparts - now have more options for commercial skulduggery.
Simulating a cyber attack is one way to check out how robust defences are. The official London 2012 Olympic website, for example, went through a simulated DDoS (distributed denial of service) attack this year.
One response to cyber threats is encouraging hackers to become ‘white hats’, whereby they are paid a reward for informing corporates when they discover a security vulnerability. Nine people in the UK have been paid a total of $11,000 (£6,800) in ‘security bug bounty’ by Facebook. To qualify for the cash, they have to abide by Facebook’s responsible disclosure policy, and typically receive a reward of $500 per reported bug.
Cyber attacks in the UK
Breach originated through a third-party email supplier
October 2010 to January 2011
Lush lost the payment details of 5,000 customers and was found to be in breach of the Data Protection Act by the UK Information Commissioner, but was not fined.
Sony PlayStation Network
What Sony termed “external intruders” made off with unencrypted files
The attackers stole personal details of 77 million customers and forced the service offline for 24 days. In a separate hit, hacker group LulzSec subsequently targeted the service, taking even more unencrypted information.
Play.com (online retailer)
Phishing and malicious websites
Hackers targeted one of Play.com’s third-party marketing websites where user information was held. The criminals took users’ names and email addresses to use for phishing email scams, directing recipients’ to bogus websites in attempts to extract sensitive information.
Hackers co-ordinated a sophisticated attack targeting the security firm’s own security software, used to protect company and government systems. The attack is thought to have been organised to facilitate a subsequent attack on arms maker Lockheed Martin.
With user information gathered from the successful RSA attack, the hackers tried to gain entry through Lockheed Martin’s remote access system
The company spotted the attack quickly, closing down the remote access function, foiling the hackers. Lockheed Martin manufactures satellites, Trident missiles and fighter jets, and it is suspected the attackers aimed to steal sensitive intellectual property.
Monster.com (job hunting website)
Monster did not disclose the hacking technique, though a similar attack on the company in 2007 originated in Ukraine
Personal information was stolen from 4.5 million users of the job board, including names, addresses and dates of birth. Monster quickly admitted the attack and sent out guidance letters to affected customers.
Booz Allen Hamilton
Anonymous left a statement saying that the data had been taken from a poorly protected server
Anonymous (hacker group)
The consulting firm had been working for the US Department of Defense. The hackers took 90,000 email addresses and passwords of military personnel. Anonymous claims to publicise security flaws through hacking, rather than intending to steal data.
Malware was placed on the employee entry portal, gathering workers’ login details
The car manufacturer put out a statement saying that it believed the attackers were after intellectual property concerning its electric vehicle ‘drive train’ system.
BAE Systems-Lockheed Martin joint strike fighter project
Hackers gained access to an offline computer containing fighter jet designs worth $300bn
Unknown hackers, who appear to have originated in China
Sophisticated hacking techniques led the attackers to an internal communications link, giving them access to a computer that was not connected to the internet, where information about the plane was stored.