Throughout 2018, British firms have faced an increase in both the volume and sophistication of cyber-attacks.
Reflecting on the evolution of threats over the year, cybersecurity experts convened at an event at UKFast in Manchester to analyse the year’s biggest breaches and discuss what UK businesses can learn from them.
Morrison’s:Insider threats are the most prevalent type of attack facing businesses today, experts say.
In November 2018, Morrison’s supermarket chain was ruled vicariously liable for the breach of nearly 100,000 employees’ personal data, leaked three years before by a disgruntled worker.
Annabelle Gold-Caution, Associate at European law firm Fieldfisher, said: “The risk of business owners being held responsible for data breaches caused by employees must be considered in security policies, and mitigated by implementing strong data access permissions.”
Experts recommend that business owners implement policies which allow access to company data on a ‘least-privilege’ basis, cutting the number of people with access to critical data and reducing the risk of unauthorised data sharing.
Facebook:Reputational damage is a serious side effect suffered by many attacked organisations. Tech giant Facebook reported two major data breaches in 2018 caused by exploited network vulnerabilities.
The firm’s reputation has suffered irreparable damage as a result, with one in 20 Brits, and millions across the globe, reported to have deleted their accounts after the second breach was publicised.
Paul Mason, IT Security, Education and Training Specialist at cybersecurity firm Secarma said: “When news of the second Facebook data breach came to light the company’s stock price fell 6% in just two hours.”
Although data can be retrieved with good disaster recovery strategies, reputations may not be as easily recovered. Businesses must keep networks up to date, patched and regularly tested to stay one step ahead of those willing to take advantage.
Lloyds TSB: Showing that not all breaches are down to hackers, Mason also reflected on the Lloyds TSB case from April 2018, where TSB failed to securely move their banking app from one system to another.
The transition prevented many users from accessing their own accounts and many were able to see details of other users’ accounts. As a result, leaked data was exploited by fraudsters posing as TSB investigators, with some TSB customers scammed out of £30,000.
Mason commented: “It’s not just leaked data that breaches GDPR legislation; Lloyds failed to provide their consumers with three basic data rights: availability, integrity and confidentiality. Businesses must ensure they’re protecting the data rights of their consumers at all times or face potential fines.”
The extent of fines issued to the bank under GDPR legislation is yet to be confirmed.
We will no doubt see a continued stream of high-profile cyber-attacks and data breaches in 2019. Will businesses learn from the misfortunes of companies in the public eye throughout 2018? Only time will tell.