Issue link: https://raconteur.uberflip.com/i/1084979

Contents of this Issue


Page 0 of 11

responding to breaches, will become even more crucial to business success in the future," says Tim Rawlins, director at NCC Group. There's no doubt that a proactive response must be delivered alongside an honest plan to tackle a breach, even if its knee jerk, otherwise it's carnage. "The saying that 'a lie can travel half- way around the world before the truth has its shoes on' is very real when it comes to social media. A misrepresentation of the facts can become a 'fact' very quickly and is then often picked up by traditional news sources," warns Richard Horne, cyberse- curity partner at PwC. "Cyber-crises are also diff erent to many others in that directly after the event, the aff ected organisation often has very few facts to work with. Maintaining stakeholder confi dence when you have no facts is a chal- lenge and especially because these facts can take days, weeks, even months to uncover." At the same time, we live in an era when there's a toxic cocktail of high breach fatigue among consumers and low public trust in companies that hold our precious data. Arguably, it's how businesses have handled attacks globally that has led to this state of affairs. "The reporting of incidents has gen- erally been poor and often doesn't high- light the real scope of a data breach, with incident reports littered with non-defi - nite words such as 'could have', 'might be' and so on," says Professor Bill Buchanan, cybersecurity expert at Edin- burgh Napier University. "In the case of British Airways, every customer should have stopped transactions on their credit card – in fact, it should have happened automat- Managing editor Benjamin Chiou Find out why on page 6 Organisations are being forced to re-evaluate their approach to Security, Risk, & Governance— Speed is key in tackling data breach fallout In the age of social media and public relations crises snowballing out of control, the ensuing hours after a data breach can make or break a company's reputation assive cyberattacks appear to go in waves and we're probably due one soon. Marriott, British Air- ways, Facebook, Dixons Carphone are just some of the big names that have been smacked hard in the corporate face. Bruis- ing data haemorrhages seem to be a reg- ular occurrence, while the dreaded fall- out on social feeds, tabloid headlines and 24-hour online media can be legion. "Once more unto the breach, dear friends, once more" is not so much a line from Henry V and the Bard himself, but more a 21st-century hue and cry from the public relations, C-suite and cybersecu- rity teams as they clamour to shore up tat- tered brand images and stymie any fi nan- cial losses. "One of the first challenges in dealing with a cyberattack is time. Incidents can go viral and global in an instant. Organ- isations will be dealing with short time- frames to manage reputational risk, recover data and prepare a co-ordinated response to regulators, third parties and affected customers," says Dr Paul Robert- son, cybersecurity, privacy and resilience director at EY. We also have to face up to the fact we live in a post-GDPR world. Companies have 72 hours to fess up to a cyberattack or face crippling fines under the EU's Gen- eral Data Protection Regulation. As the clock ticks in those early hours, the pres- sure can be extreme. "Consumers are becoming increas- ingly sav v y about the value of their data. Transparency, par ticularly when Davey Winder Award-winning journalist and author, he specialises in cybersecurity, contributing to Infosecurity magazine. Kate O'Flaherty Freelance tech writer specialising in cybersecurity, her work has appeared in The Guardian, The Times, The Economist, Forbes, and Wired UK. Matthew Staff Former editorial director, he is now applying his multi-sector B2B experience across numerous industry titles. Nafeez Ahmed Investigative journalist and editor of Insurge Intelligence, he has contributed to The Guardian, Independent, VICE and The Atlantic. Nick Easen Award-winning journalist and broadcaster, he writes on science, technology, economics and business, producing content for BBC World News, CNN and Time magazine. Nick Ismail Content editor of Information Age, he writes for technology leaders, helping them manage business-critical issues for today and in the future. Oliver Pickup Award-winning journalist, he specialises in technology, business and sport, and contributes to a wide range of publications. ically – as the breach involved virtually everyone who entered their credit card details on their website over the period of the hack." In the summer of 2018, the details of around 380,000 airline bookings were compromised when hackers obtained names, streets and email addresses, as well as credit card numbers, expiry dates and security codes; certainly enough information to steal from people's bank accounts. In textbook style, British Air- ways immediately contacted customers when the breach became clear. "Within the incident report, you had to scroll down the page to see the advice related to credit cards. At the time, the announcement was your passport details were safe and that your card details were at risk. You can see that PR teams will try to soften the scope of a data breach, but this doesn't help the media or the general public understand the scope of an attack," says Professor Buchanan. Look closer and you may realise that our data infrastructure has been built using methods created in the 20th century and we're now having to re-engineer our data- fed world to deal with security in the 21st, including the cloud, mass digitalisation of supply chains, the internet of things, robot- ics and artifi cial intelligence, as well as the merger between physical and cyber-realms, the so-called fourth industrial revolution. Next-generation intelligence-driven security is needed. "Before a breach, busi- nesses struggle to know whether they need to invest and struggle to under- stand what the impact of inaction will be on their business. They know this after a breach, of course, but at which point it's too late," says Nigel Ng, vice president of international sales at RSA Security. Many organisations are now being more proactive and less reactive. As Cesar Cer- rudo, chief technology officer at IOActive, puts it: "This is no longer an IT issue, but a business imperative." Although prepared- ness is more prevalent in the likes of say financial services than in healthcare. Big companies now have so-called fi re-response policies and cyber- breach simulations bringing IT, public relations and customer service teams together as they work on dry runs and responses. How- ever, there's increasing realisation that a more holistic approach is needed. "Embedding security into an organi- sation's DNA goes far beyond just raising awareness or training people; everyone needs to understand how the business decisions they make can impact cyber- risk," says Mr Horne. However, this still doesn't tackle the issue of reviving pub- lic trust, which is sorely needed before the next round of breaches. "It is often difficult to tell the difference between say a bank which invests heav- ily in their cybersecurity and one that doesn't," says Professor Buchanan. "For those affected, it is often finan- cial loss, which worries many people, and therefore we need ever-increasing levels of security. Our 'Wild West' of data-han- dling and data-mining needs to end some- time soon. Maybe there should be cyber- security ratings for companies, where they would be extensively audited for the detection and response to incidents." There's a thought. Distributed in Publishing manager Reuben Howard Digital content executive Fran Cassidy Head of production Justyna O'Connell Design Grant Chapman Sara Gelfgren Kellie Jerrard Harry Lewis-Irlam Samuele Motta Head of design Tim Whitlock Associate editor Peter Archer Published in association with Although this publication is funded through ad- vertising and sponsorship, all editorial is without bias and sponsored features are clearly labelled. For an upcoming schedule, partnership inquir- ies or feedback, please call +44 (0)20 8616 7400 or e-mail info@raconteur.net. Raconteur is a leading publisher of special-interest content and research. Its publications and articles cov- er a wide range of topics, including business, fi nance, sustainability, healthcare, lifestyle and technology. Raconteur special reports are pub- lished exclusively in The Times and The Sunday Times as well as online at raconteur.net. The information contained in this publication has been obtained from sources the Proprietors believe to be correct. However, no legal liability can be accepted for any errors. No part of this publication may be reproduced without the pri- or consent of the Publisher. © Raconteur Media /cybersecurity-2019 @raconteur /raconteur.net @raconteur_london CYBERSECURITY A R T I F I C I A L I N T E L L I G E N C E C Y B E R - R E S I L I E N C E B Y D E S I G N F I N A N C I A L I M P A C T How should IT experts respond when AI falls into the wrong hands? Building a cyber-secure business from the ground up Five ways cyberattacks can destroy company value 02 06 09 raconteur.net Nick Easen M I N C I D E N T R E S P O N S E Contributors I N D E P E N D E N T P U B L I C A T I O N B Y 2 4 / 0 2 / 2 0 1 9 # 0 5 7 0 R A C O N T E U R . N E T Tim Cooper Award-winning freelance fi nancial journalist, he has written for publications including The Spectator, London Evening Standard, Guardian Weekly and Weekly Telegraph. Ponemon Institute/IBM 2018 Marsh/Microsoft 2018 MOS T CONCERNING CONSEQ UENCES OF A CYBER AT TACK Percentage of executives who believe the following would have a big impact on their organisation TIME TAKEN TO IDENTIFY AND CONTAIN A DATA BREACH, BY ROOT CAUSE Survey of 477 companies that experienced a data breach in 2018 One of the first challenges in dealing with a cyberattack is time. Incidents can go viral and global in an instant Business interruption Reputational damage Breach of customer information Average number of days to identify Average number of days to contain Data or software damage Extortion/ransomware Loss/theft of intellectual property Liability to third parties resulting from a breach Disruption/interruption of industrial systems or other technology 75% 59% 55% 49% 41% 35% 29% 28% 221 81 Malicious or criminal attack 177 60 System glitch 174 57 Human error CYBERSECURITY Speed is key in tackling data breach fallout C Y B E R - R E S I L I E N C E F I N A N C I A L I M P A C T Building a cyber-secure business from the ground up Five ways cyberattacks can destroy company value 09

Articles in this issue

Links on this page

Archives of this issue

view archives of Raconteur - cybersecurity-2019