Data/Cyber

British Airways faces record GDPR fine

BY Richard Summerfield

British Airways is to be fined £183.39m by the UK’s Information Commissioner’s Office (ICO) for data protection breaches.

The fine, as set forth by the ICO, will be the largest penalty handed down since the implementation of the European Union’s (EU’s) General Data Protection Regulation (GDPR). The regulator said the company will have a chance to contest the proposed fine, which is roughly 1.5 percent of airline’s annual revenue of £11.6bn worldwide in 2018, well below the maximum rate of 4 percent that can be applied under the GDPR.

According to the ICO, weak security on the airline’s website allowed users to be diverted away to a fraudulent page, starting in June 2018. The ICO’s investigation found that the incident involved customer details including login, payment card, name, address and travel booking information of around 500,000 users had been harvested.

“People’s personal data is just that – personal,” said Information Commissioner Elizabeth Denham. “When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”

British Airways, which has subsequently improved its security protocols, has said it will fight the ruling. The airline can appeal against the findings and scale of the fine before a final decision by the ICO. “We are surprised and disappointed in this initial finding from the ICO,” said Alex Cruz, the chair and chief executive of British Airways. “British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft. We apologise to our customers for any inconvenience this event caused.”

The ICO noted: “British Airways has cooperated with the ICO investigation and has made improvements to its security arrangements since these events came to light. The company will now have opportunity to make representations to the ICO as to the proposed findings and sanction.”

News: British Airways faces record 183.4 million pounds fine over data theft

Frequency of cyber attacks increases amid defence deficit

BY Richard Summerfield

The number of cyber attacks, and the cost of those attacks, increased markedly in 2018, according to a study commissioned by insurer Hiscox.

The Hiscox Cyber Readiness Report 2019 surveyed nearly 5400 professionals from the US, UK, Germany, Belgium, France, Spain and the Netherlands who are responsible for their company’s cyber security.

According to the report, 61 percent of the firms surveyed experienced one or more cyber attacks in the past year, compared to 45 percent in the previous year. However, the proportion of those firms achieving top scores for their cyber security readiness fell year-on-year. The median cost for losses associated with cyber incidents increased significantly, from $229,000 to $369,000.

The report, now in its third year of publication, noted that while hackers previously focused mainly on larger companies, small- and medium-sized firms are now equally vulnerable. Around 47 percent of small firms – companies with less than 50 employees – reported attacks, up from 33 percent last year. Sixty-three percent of medium-sized businesses, those with 50 to 249 employees, were targeted, up from 36 percent the previous year.

“The cyber threat has become the unavoidable cost of doing business today,” said Gareth Wharton, cyber chief executive at Hiscox. “The one positive is that we see more firms taking a structured approach to the problem, with a defined role for managing cyber strategy and an increased readiness to transfer the risk to an insurer by way of a standalone cyber insurance policy.”

“The message that cyber risk is a real threat to businesses of all sizes is sinking in,” said Meghan Hannes, cyber product head for Hiscox in the US. “Companies are increasingly aware of the risks and pouring more resources into cyber protection, and yet, there is still a tremendous gap between awareness of the issue and actually having an effective defence. Many believe that increasing cyber-related spending fully protects a business, but it isn’t enough. Businesses must take a holistic approach, ensuring they can properly maximise their investment with appropriate internal protocols, staffing, and employee training, ultimately creating a human firewall as the first line of defence.”

The average spend on cyber security is now $1.45m, up 24 percent on the previous year, and the pace of spending is accelerating. The total spend by the firms in the survey comes to $7.9bn. Two-thirds of respondents (67 percent of firms) plan to increase their cyber security budgets by 5 percent or more in the year ahead.

Report: The Hiscox Cyber Readiness Report 2019

FireEye report – Aggressive new attackers emerge

BY Richard Summerfield

The cyber security industry evolved significantly in 2018, with aggressive new attackers emerging, according to the FireEye Mandiant ‘M-Trends 2019 Report’.

Encouragingly, however, organisations are getting better at responding to breaches quickly. Over the past eight years, dwell times have decreased significantly – from a median dwell time of 416 days in 2011 to 78 days in 2018.

Thirty-one percent of the breaches investigated by Mandiant last year had dwell times of 30 days or less, up from 28 percent of compromises in 2017. Twelve percent had dwell times greater than 700 days, down from 21 percent in 2017.

The report suggests that the increase in compromises detected in less than 30 days is due to greater use of ransomware and cryptominers over the last 12 months, which are detected faster. FireEye also believes that companies are improving their data visibility through better tooling, which allows for faster response times. In the Americas, the median dwell time fell from 75.5 days in 2017 to 71 days in 2018.

Nation states continue to pose an increasingly dangerous and evolving threat. The report identifies North Korea, Russia, China and Iran, among others, as the most threatening actors which are continually enhancing their capabilities and changing their targets in alignment with their political and economic agendas. The report suggests that significant investments have provided these actors with more sophisticated tactics, tools, and procedures, with some becoming more aggressive, and others better at hiding and staying persistent for longer periods of time.

There are a number of important steps companies must take if they are to resist attacks which are coming in increasingly diverse forms. Attackers are targeting data in the cloud, including cloud providers, telecoms and other service providers; they are re-targeting past victim organisations and are even launching phishing attacks during mergers & acquisitions (M&A) activity.

“By regularly reviewing and updating their incident Response Plans and associated use cases and playbooks, organisations can mitigate the risk of destruction of important evidence, failure to identify major breaches, and extending the duration of breaches,” notes the report. “Organisations should incorporate important concepts such as evidence preservation during remediation activities, context of alerts instead of simple volume metrics, and eradication timing into these documents. This will empower front line analysts to effectively escalate relevant information to decision makers and avoid costly mistakes.”

Report: M-Trends 2019

The evolving cyber threat

BY Richard Summerfield

2018 was a challenging year for the cyber security industry as threat actors’ tactics, traits and techniques continued to evolve. As a result, the number of large corporations which fell victim to cyber attack continued to grow last year, according to AppRiver’s ‘2018 Global Security Report’.

AppRiver’s Email Security and Web Protection filters quarantined more than 10 billion global threats including: (i) 8.3 billion messages containing URL-based malware, phishing attacks and text-based attacks; (ii) 300 million emails that included malware in a message attachment; (iii) the majority of malicious attachments with Word files with embedded macros; and (iv) 4.5 billion quarantined messages that originated in the US.

Trojan attacks surpassed the number of ransomware attacks, becoming the most commonly distributed threat type – Trojans were dispersed more than 20 million times. The ‘Trickbot Trojan’ and ‘Emotet’, were particularly prominent threats. Emotet, which functions as a downloader of other banking Trojans, cost state, local, tribal and territorial (SLTT) governments up to $1m per incident to remediate. In order to defeat such attacks, companies must deploy a robust ‘defence-in-depth’ approach, the report notes. Distributed Spam Distraction (DSD) and Business Email Compromise (BEC) attacks also became more prominent in 2018.

“The lines between hacking, cybercrime, and cyberwarfare are increasingly blurred now,” said Troy Gill, AppRiver’s senior cybersecurity analyst. “As a result, protecting small- and mid-sized businesses must be considered an integral part of our larger national cybersecurity posture. To be most effective, our strategy must be comprehensive, addressing vulnerabilities at all levels.”

Looking ahead, the report notes that internal ecosystem attacks will increase and attackers will employ more ‘bleeding-edge’ attack methods. The report notes that more advanced attack techniques will likely trickle down from the nation-state level to threaten more for-profit attacks against the public.

The rapid growth of the number of Internet of Things (IoT) devices will also create challenges, particularly as the lack of security being built into such devices will leave parties exposed.

Report: 2018 Global Security Report

Cyber security M&A climbs as attacks increase

BY Richard Summerfield

Cyber security M&A is on the rise, as a result of the increasing number of successful, high-profile cyber attacks, the continued digitalisation of businesses and the proliferation of new regulations, such as the European Union’s General Data Protection Regulation (GDPR), according to Hampleton Partners’ 2018 Cybersecurity M&A Market Report.

“Hacking is the newest form of warfare against businesses as well as nation states. The average cost of a single data breach is now € 3 million, up by six percent in a year, plus the reputational damage which can be catastrophic,” said Henrik Jeberg, a director at Hampleton Partners. “Given the increasing market demand for cybersecurity solutions due to regulation, digitisation, high profile hacks and new technologies requiring security, we are not surprised to see a highly active M&A market for cybersecurity assets at high valuations. I expect cybersecurity to remain a hot topic in M&A, even if we go into a period of more volatile financial markets.”

There have been a number of notable M&A deals in the tech space this year, particularly in H2. The report identifies the identity and access management subsector as one of the most notable areas of activity. The space saw a number of large deals, including acquisitions by Verimatrix and Cisco.

The private equity (PE) industry has also become an active participant in the cyber security market. Indeed, PE investors have become top bidders for a number of large cyber security assets. Thoma Bravo, TPG Capital, Francesco Partners and Vista Equity Partners have all increased their investments in the cyber security space this year.

The importance of cyber security is becoming increasingly evident, particularly as the average cost of a cyber breach continues to rise. In 2017, the average cost of a single data breach rose 6 percent to €3m per breach. Moving forward, it seems likely that the cyber security space will remain a key target for acquirers in the months ahead.

Report: 2018 Cybersecurity M&A Market Report

©2001-2019 Financier Worldwide Ltd. All rights reserved.