Addressing the dark web challenge in the boardroom
August 2017 | SPECIAL REPORT: TECHNOLOGY RISK MANAGEMENT
Financier Worldwide Magazine
August 2017 Issue
If you are part of a board of directors, and cyber security is not on your agenda at the moment, you are putting your entire company in jeopardy. While cyber security may not directly help you grow revenue or improve profit margins, it is worth giving it the attention it deserves – because the consequences of breaches could be dire in terms of damage to your reputation, share price, disruption and lost revenue.
One respondent to the Department for Culture, Media & Sport’s (DMCS) ‘Cyber security breaches survey 2017’ typifies the lack of concern by boards: “Cyber security is one of the senior managers’ lowest concerns. It is less concerning than physical problems, like engines breaking. That is costing them money so they want to address that, whereas this is not costing us anything”.
‘This isn’t costing us anything’ is the kind of attitude that many companies have – before they get stung – and it is an exceptionally dangerous stance to have. Ciaran Martin, head of the GCHQ’s National Cyber Security Centre (NCSC), recently said that it is “unacceptable for boards to plead ignorance about the threat from cyber attacks” and that “boards must start to treat cyber threats with the same level of critical importance as they do financial or legal issues”.
You only have to look at the media headlines around the recent high-profile cyber attacks to understand why cyber security should grab the attention of boards. And there have been a great many attacks recently. Last month it was the WannaCry attack, which crippled the productivity of the NHS and put lives at risk. Soon after, parliament was hit by a ‘sustained’ attack, which compromised 90 government email accounts. And most recently, WPP reported it had been hit by a cyber attack. These kinds of attacks are just the tip of the iceberg of what goes on every day in the cyber criminal world.
However, below the tip of that iceberg, a growing threat exists that much of the media – and subsequently company boards – are missing: the threat of corporate data being traded on the dark web. Cyber criminals are busy stealing data from within corporate networks and listing it for sale on areas of the internet where search engines cannot reach – and the organisations from whom data has been stolen neither know about it nor can do anything about it. Everything from employee names, addresses and logins and corporate credit card information is readily available, and companies carry on completely unaware of any illegal activity.
As if the problem of data theft was not dangerous enough, it is about to get much worse for companies next year when the UK enforces the General Data Protection Regulation (GDPR) legislation, replacing the 1998 Data Protection Act. At the moment, the average financial cost to a business as a result of a cyber breach is perceived to be small – as little as £1570 according to the DMCS cyber security survey. This figure could be a lot more, as the report admits that it is “very uncommon for businesses to monitor the financial cost of cyber security breaches”. A 2017 survey by IBM reports the figure as £2.48m for UK organisations. Whatever the figure, GDPR legislation is set to massively hike financial costs for organisations that suffer a data breach to £20m or 4 percent of their annual turnover – whichever is higher.
These fines are set to devastate businesses because, at the moment, fines are the least of everyone’s worries. According to the same piece of government research, less than 1 percent of companies that suffered a security breach stated they had been subject to a fine – and under the DPA, the maximum fine was in any case limited to £500,000. From May 2018, once the GDPR comes into force, we can expect that figure to rise sharply – for the average FTSE350 company, the fine could be more than £200m and could easily become the biggest direct impact an organisation will face as a result of a breach.
If these terrifying figures do not put cyber security, and in particular the dark web, on the board’s priority list, nothing will. For those boards that do want to pay attention, it is essential they understand how the dark web works, recognise how criminals are using these sites to buy and sell their data and put plans in place to mitigate the damage once their data that has been posted there.
The challenge, therefore, is how to find the information that criminals have listed on the dark web, which, as stated previously, has traditionally been impossible for most businesses. Now, however, there is a way, and it is through advanced search technology. This type of software can continuously monitor millions of dark web pages and dump sites, and filter and extract information based on items like personal information, login credentials, credit card numbers and domain names. The best part of this kind of software is that it can instantly alert you as soon as your data appears on the dark web – an essential feature when time is of the essence after a breach. After all, the sooner you report a breach, the lower your GDPR fine may be.
Having this information to hand will not only save businesses from receiving hefty fines from the GDPR, it also provides a good opportunity for organisations to realign their privacy practices, creating a more secure environment for their data. It is also an opportunity to ensure businesses do not take a hit to their reputation after a security breach – especially since ‘protecting reputation’ is one of the top five drivers for more investment in cyber security, according to the DMCS survey.
To conclude, it is vital that cyber security and the dark web is high on the boardroom agenda. With just under a year to go until the GDPR – and average fines from the regulator set to jump to tens or hundreds of millions of pounds – organisations need to ensure they are fully set to deal with these threats and have the right tools in place to monitor the dark web – or face the consequences.
Tim Haynes is the chief executive of RepKnight. He can be contacted on +44 (0) 2890 826 226 or by email: firstname.lastname@example.org.
© Financier Worldwide