According to the government’s Cyber Security Breaches Survey 2019, around a third (32%) of all UK businesses have experienced a cyberattack within the last 12 months.
Take out small businesses and that figure rises to a shocking 60%. When you’ve been hacked, the impetus to make changes is clear. Many firms and business leaders, however, still bury their heads in the sand, thinking (or hoping) it doesn’t happen to them.
You don’t need first-hand experience to make changes though, there are plenty of high-profile, large-scale breaches you can learn from.
Here are five of the biggest.
Let’s begin with what has been labelled “the most devastating cyberattack in history.”
In June 2017, shipping and logistics company Maersk fell victim to the infamous NotPetya ransomware attack. The Russian military created it as a cyberweapon, initially targeted towards businesses in Ukraine. But the malware spread.
Maersk was one of the companies dealt the most damage by NotPetya. 50,000 endpoints and thousands of applications and servers were infected across 600 sites in 130 countries. The result: $300m in losses.
Hackers used a penetration tool, EternalBlue, which exploited out-of-date software and allowed them to run code on poorly-patched machines.
The moral of the story is that not all victims of cyberattacks are the intended victims. This essentially means that any business is vulnerable to the spread of malware. Always protect critical systems and networks and make sure you have a data recovery plan in case disaster strikes.
WannaCry was another devastating ransomware attack – one that infected over 300,000 computers in 150 countries. The countries worst affected were Taiwan, Ukraine, Russia and India. When WannaCry spread to the UK, the National Health Service was hit hardest.
In May 2017, at least 16 health service organisations were attacked, including hospitals and GP surgeries. The attack cost the NHS a monumental £92m in lost output and IT costs.
Hackers were able to access NHS computers via a vulnerability in Microsoft, for which a patch was made available in March 2017. The service also had no web browsing protection in place, making it an easy target.
Prevention is the best line of defence against this kind of cybersecurity breach. The NHS should have installed the necessary software updates and patches to prevent this attack from happening.
It has since committed to formulating plans to meet the Cyber Essentials Plus Standard.
In May 2017, credit-reporting agency Equifax was hit by a massive data breach, which may have affected its 143 million US customers.
Thus, hackers gained access to 209,000 credit card numbers, along with valuable personal data such as birth dates, addresses, social security numbers and in some cases, driving licence numbers.
As if that wasn’t bad enough, it was later reported that the breach could have been prevented if the company had taken the proper precautions.
Hackers got in via a vulnerability in an Apache Struts server, for which a patch was available as early as March 2017. This means that Equifax failed to protect its users’ data even though they had abundant opportunity to do so.
How can you avoid such a horrendous misstep? Be sure to patch and update software regularly.
4. British Airways
Hackers stole the payment card information of an estimated 429,000 British Airways customers in early 2018.
The ICO has now proposed that BA pay a fine of £183m, which amounts to approximately 1.5% of the company’s £11.6bn turnover in 2018. Similar infringements can cost organisations up to 4% of their annual global turnover.
The attack may have happened due to the fact that BA failed the Payment Card Industry Data Security Standard the previous year. Hackers may have used a script that blended with regular payment processing to steal information. This would not have been possible if BA had a secure and PCI compliant iFrame on their payment pages. Naturally, these strict standards have been put in place for a reason. The ICO attributes the breach to “poor security arrangements”. Businesses of all sizes should actively track their compliance with a number of cybersecurity standards.
Managing Director of the Direct Marketing Association, Rachel Aldighiere, commented: “British Airways has a duty to ensure their customer data is always secure. They need to show that they have done everything possible to ensure such a breach won’t happen again.”
In November 2018, Marriott revealed that hackers gained access to the records of its 500 million guests. They stole sensitive information, including passport numbers and credit card numbers.
But the most shocking part of this story is that hackers may have had access as early as 2014.
Marriott also showed its lack of regard for cybersecurity when it merged with Starwood in 2016. At this point, it should have carried out cybersecurity and vulnerability assessments. But it failed to do so, meaning it simply inherited Starwood’s cyber threats.
It’s also worth noting here just how easily viruses spread among businesses. Thus, you need to be vigilant and demand best practices from any firm you collaborate with, including third-party suppliers.
In the case of Marriott, suspicious logins were never detected as the firm left its cloud unmonitored. There seem to have been failures left, right and centre, as it neither stored nor protected its encryption keys correctly either.
It Could Happen to You, Too
The cyber arms race has meant businesses globally have had to invest heavily in software, support and infrastructure to counteract the growing threat. But despite the sheer number of cyberattacks increasing, the majority of cyber criminals’ tools and techniques are still rudimentary.
There are no guarantees in cybersecurity. Yet, ThreatAware could have assisted each of these businesses. The tool monitors cybersecurity and alerts users to software updates, which would have helped in the cases of Maersk, NHS and Equifax. Furthermore, ThreatAware monitors cyber risks and suggests actions to safeguard your website, which could have protected British Airways. Finally, ThreatAware could have helped prevent the Marriott breach by alerting the company to compliance issues with ISO 27001 and Cyber Essentials and providing cloud monitoring.
However, sub-par technology isn’t solely to blame for cyberattacks, even in high-profile cases. There is also a human element to contend with. Email is still the best way in to a business: targeting employees when they’re potentially distracted is the most effective method of bypassing security. Thus, creating a culture in which all employees prioritise cybersecurity is vital, as is proper training.
The threat may be cyber, but the answer is very much human.