The reality of targeted cyber-attacks

To tackle targeted cyber-attacks, Bob Tarzey says research and experience concur: put measures in place to prevent attacks happening, take action when one is underway and the clear up after the event when one succeeds.

Bob Tarzey, analyst and director, Quocirca
Bob Tarzey, analyst and director, Quocirca

It's gratifying when quantitative research is backed up by the experiences of the insightful people you meet, providing affirmation of primary research results that underlines the veracity of the research process. 

At the SC Magazine London Congress on 10 February 2016 Quocirca's contribution was based on a research report published in December 2015, entitled The trouble at your door, Targeted attacks cyber-attacks in the UK and Europe, which was sponsored by Trend Micro. It was good to be able to note how the research supported the views of fellow panelitsts, Troels Oeting, the CISO (chief information security officer) of Barclays bank and Tim Lansdale, Worldpay's head of payment security.

Worldpay told of how the number of breaches observed by its customer was up 200 percent year-on-year. Our research report showed that the number believing that targeted cyber-attacks were inevitable was up from 28 percent in 2013 to 70 percent in 2015. Furthermore, 52 percent of UK enterprises knew they had been targeted in the last 12 months (many of the remainder simply did not know, and anyway it is hard to prove you have not been a target). For most it had been more than one attack and 17 percent knew data had been stolen.

So, if targeted attacks are inevitable and widespread, what can be done to mitigate their impact? The research report looks at the before, during and after measures in place to prevent attacks happening in the first place, take action when one is underway and the clear up after the event when one succeeds.

Worldpay pointed out an obvious 'before' measure, better protection of sensitive data; it should know, as it deals with the Holy Grail for cyber-criminals – payment card data. Like many organisations Worldpay is using tokenisation, where the actual data is replaced with a token which has no meaning to a third party without access to the de-tokenisation values. Our research showed that despite payment card data being the prime target, more general personal identifiable data was of greater concern. We concluded that this was for two reasons, first payment card is a very specific type of data and therefore easier to protect with methods such as tokenisation, and secondly the process of taken payments can be outsourced to specialists. It is harder to do the same for all the varied personal data many organisations deal with.

When it came to after measures Worldpay pointed to the need to involve various parts of an organisation in the response including legal, human resources (HR) and public relations (PR). Our research shows the extent to which this is actually being done. Only 42 percent of organisations have a breach response plan already in place, whilst 28 percent say they are planning to do so. Thirty seven percent accept that legal should be involved in such plans, 24 percent HR and 13 percent PR. So whilst there is some way to go to for all to catch up with a frontline company such as Worldpay, there is progress.

Finally, Barclays and Worldpay concurred that users have to be better informed to protect themselves. For business users, employers can mandate training and put in place disciplinary measure for poor practice and so on. The biggest headache for banks is often consumers being careless with their access credentials. This requires action on a broad front and various industry sectors have to take a lead in keeping their customers informed about risk. Barclays is doing its bit; the morning of the SC Magazine Congress Barclays' succinct “Fraud Smart: The Imposter” phishing advert was airing. More of this is needed in high profile places to help stop more attempted attacks in their tracks.

Contributed by Bob Tarzey, analyst and director, Quocirca