Following news earlier today (8 July) that British Airways has become the first British company to be penalised under the EU General Data Protection Regulation (GDPR), research reports indicate that the list is set to become longer.
Businesses in the UK faced an average of 146,491 attempted cyber-attacks in the second quarter of 2019, according to an analysis from Beaming. This equates to one attack every 50 seconds, the highest level since Beaming started monitoring attacks in 2016.
"The rate at which UK businesses are attacked online has soared over the last year and companies large and small are under sustained attack from hackers around the world," said Sonia Blizzard, managing director of Beaming.
"The majority of cyber-attacks on businesses are indiscriminate, malicious code that trawls the web seeking to exploit any weak point in cyber-security systems. A single breach can be catastrophic to those involved."
Remotely controlled IoT applications and file sharing services were the most likely targets for online cyber-criminals, attracting 201 and 114 attacks per day respectively between January and March, said the report.
The volume of internet-borne cyber-attacks from April to June 2019 was 179 percent higher than in the same period of 2018, when businesses were attacked online 52,596 times each on average, said the Beaming report.
IoT devices and file sharing services -- the most frequently targeted applications -- attracted 17,737 and 10,192 attacks respectively between April and June.
In the British Airways breach, regulators have not given any significant information on how the breach was perpetrated by the hackers, although some reports pointed towards a vulnerability in payment systems.
"Although increased spending by businesses on technologies designed to stop attacks is beneficial, we’re still overlooking the fact that cyber-security’s biggest threat is human error. More education around cyber-security is needed across the board - at both a commercial and customer level," said Andrew Martin, CEO and founder, DynaRisk.
The air transport sector is reported to be particularly vulnerable, with SITA reporting that only over three quarters (77 percent) of aviation organisations communicate their security policies to their employees, while just 69 percent have a formal training programme in place.
"Employees are the weakest link in the fight against cyber-attacks, and the very first topic
to address. Air transport industry security experts accept that employees need to be part of their core security arsenal in the defence against risk," said SITA’s 2018 Air Transport Cybersecurity Insights report.
The measures companies usually take to beef up their cyber-security is often woefully inadequate, said the SITA report. More than 90 percent of the respondent organisations have conducted formal risk assessments, 33 percent have security operations centres to monitor their IT environment. However, only 40 percent of them have maintained an inventory for their critical business processes, said the report.
The GDPR regulations have put the onus on the business when it comes to data breaches. "People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience," said Information Commissioner Elizabeth Denham in the British Airways penalty announcement.
With cyber-criminals hunting top brands and with these corporations failing to protect consumers, people should start improving their own cyber-security credentials, said Martin.
"Customers should be treating their online information as a personal responsibility and should regularly check whether this information is vulnerable or at risk. In addition, people should be regularly reviewing their personal cyber-security score and continuously act to improve it," he said.
"The message here is clear: it's not about checking boxes. It's about privacy in the company's DNA. You can't just roll out a good enough app that doesn't have good enough privacy or security. It's also not about the facile direct risk of fraud," said Sam Curry, chief security officer at Cybereason.