How to stop the hackers at your door
Hacking has been part of popular culture for as long as there have been computers. And according to Doree Keating at EY, the reality is far more prosaic than the image portrayed in films such as The Italian Job or The Matrix.
“This is really about economic impact,” she says. “The digital dimension is relatively new, but business leaders are better to think of this in the age-old context of fraud, manipulation and industrial espionage.”
“It’s about marrying the technical aspects of cybersecurity and the business component of running a company,” says EY’s cybersecurity leader Siobhan MacDermott. “We’re looking at the coming together of threat intelligence, economic anomalies and geopolitics.”
Media attention focuses on big, embarrassing breaches — the Sony Pictures hack, for example, which involved as much as 100 terabytes of data, or the 25 gigabyte Ashley Madison adultery website hack, which led to a US$567m class-action lawsuit from its members.
But the high-profile cases are often those with the sloppiest execution. The recent hack of British telecoms firm TalkTalk is a prime example. Initially, account details for 4 million customers appeared to have been compromised, and the company’s market cap fell more than 25%. But the teenaged hackers were quickly caught, and it transpired that only incomplete financial information on 157,000 accounts was accessed.
Nevertheless, TalkTalk has still taken a £30m (US$45.6m) hit to their bottom line as a result of the breach, plus lost sales.
“That’s why cyber economics means being more proactive,” says Keating. “If you have a clearer picture of your own vulnerabilities and those in the systems of your counterparties, you’re much more likely to find the right hygiene level and can plan more coherently should the worst happen.”
How big is the problem?
Putting accurate numbers on cyber economy risks is almost impossible. A report from insurer Allianz Global Corporate and Specialty in 2015 put the cost to organizations globally at US$445b. Hewlett Packard and the Ponemon Institute of Cyber Crime believe attacks cost the average US firm US$15.4m. And a World Economic Forum report said adding the effect of attacks on the pace of technology and business innovation bumped the economic cost to US$3t annually.
And according to the UK’s security service GCHQ, 8 in 10 larger companies have already been compromised. Keating explains: “An intruder will gain access to a network and simply take a watching brief. They’re not interested in stealing big chunks of data — they’re targeting strategic decision-making, market intelligence and financial data, especially around M&A deals.”
Cyber M&A mitigation
So, how should acquirers protect themselves? “We start with the company itself — doing sophisticated searches to build up a profile of their cybersecurity and identify possible gaps in their approach,” says Keating. “We then follow up with the economic angles: a sensitivity analysis around growth strategies, for example, to illustrate how rivals might target them in a deal. That enables us to show what we can learn before we even touch their network.”
A deeper probe into past breaches, system robustness and high-value data targets sets out a base-line for the acquirer. Once a target had been identified, a similar process — testing from the outside, a detailed security and economic audit, analysis of past breaches — builds up a picture of their potential vulnerabilities.
“There should also be more focus on the supply chain of the target company,” says MacDermott. Third-party data centers, or how cloud services are configured are other considerations of a cyber economic approach. “A detailed entity analysis should include potential links to nation states and organized crime,” says Keating. And this should apply to a target’s suppliers or even shareholders.
“Every business ought to be busy identifying any potential issues and being honest about their vulnerabilities,” Keating concludes. “It’s vital to understand how the cyber economic threat is evolving, monitor your own systems, analyze suspicious activity and adapt your tactics accordingly. Having remediation plans is a must — but mitigation of the risk ahead of time is the real objective.”