Cyber security: protecting your business and your clients

In the digital age cyber attacks are commonplace, but while an attack is almost inevitable a breach is not. Paul Young, Director Cyber Security, Deloitte Consulting and Simon Shorey, Head of Online Channels, Lloyds Bank Commercial Banking, consider the makings of a strong defence.

There’s no doubt that the digital revolution is driving business innovation and growth. As well as driving down costs, technological innovations are presenting businesses with other opportunities, such as increasing integration and driving efficiencies.

However, alongside these opportunities, technology is exposing corporates and their customers to new and emerging threats. Businesses are increasingly exposed to cyber attacks, which can result in damage to their reputation and brand, as well as financial loss and customer attrition.

From script-kiddies to hacktivistsThere’s a clear need for businesses to protect themselves and their customers – but taking action is not necessarily straightforward. For one thing, not all cyber-criminals are alike. Perpetrators range from young ‘script-kiddies’, who embark on cybercrime for fun before focusing on financial gain, to organised networks of criminals. Other types of attacker include politically motivated hacktivists engaging in disruptive attacks at individual or group level, and sophisticated nation states and spies armed with significant funding and highly sophisticated monitoring and attack methods.

At the same time, cyber attacks tend to include different stages of activity which

can make it difficult to identify threats early. Attacks can remain undetected for large periods of time while infiltrators assess the information they are able to gather, before conducting the more noisy and detectable process of asset capture.

The treasury threat Anyone in a company can fall victim to a cyber attack – but access to sensitive financial information and systems makes treasurers a particularly attractive target. As such, they should be fully versed in the company’s risk management strategy.

Treasurers should first and foremost be aware of the latest risks and understand the very high likelihood that the company will be the target of a cyber attack at some point – at some level, it’s almost inevitable. And the risk of actual breaches is high. A 2014 survey commissioned by the Department for Business, Innovation and Skills showed that 81% of large organisations had a security breach over the previous year, with the average cost of their worst breach at £600,000-£1.15m1.

Anyone in a company can fall victim to a cyber attack – but access to sensitive financial information and systems makes treasurers a particularly attractive target.

1 http://www.pwc.co.uk/audit-assurance/publications/2014-information-security-breaches-survey.jhtml

G043.1096 Lloyds ACT Cyber security article.indd 1 14/07/2015 11:34

CASE STUDY – TARGET BREACH

40mpayment card details stolen

Cyber security

Stolen customer card and personal

data extracted and transmitted

to external servers

RAM scraping malware deployed on Target Systems,

including POS systems that record payment

card transactions.

Source: www.fas.org/sgp/crs/misc/R43496.pdf

Internal security warnings about

malware were ignored

Internal security warnings about data

loss were ignored

12 Dec 2013. DoJ notifies Target

of suspicious activity on payment cards

19 Dec 2013 – 10 Jan 2014

Target make multiple public announcements.

Intense and prolific media coverage exposed the data breach

Financial costs of managing breach

$248mFurther legal

costs and fines

98mcustomers impacted

Malware installed on Fazio Mechanical

Services system (HVAC supplier to Target)

CEO resigns. Brand damaged, reduced operating margin

and devalued assets

12 Nov 2013

Fazio system used to gain access to Target billing and invoicing system

G043.1096 Lloyds ACT Cyber security article.indd 2 14/07/2015 11:34

Establish resistance levels In order to prepare for an attack, treasurers should also take action to reduce the net impact of any breach and minimise the time taken to recover from an attack. To establish current levels of resilience, they should ask themselves the following questions:

• Does my organisation know exactly what information is most valuable/most attractive to criminals?

• Do I have a clear procedure to follow in case of a suspicious action or event?

• Do I know who is monitoring security within the company? Do they have the appropriate skillset and provide sufficient information about current threats?

• What’s the worst possible outcome if my organisation was victim to an attack?

• Is staff cyber security awareness and training being taken seriously?

A best-in-class responseCyber security is an evolving process. As hackers become more sophisticated and organised, it is important for businesses to constantly evolve and review their protocols. Prevention is better than cure – but a company cannot completely remove the risk that a breach will take place. As such, it’s important to respond quickly when an attack does occur.

A best-in-class cyber security response would minimise the chances of defences being

breached and in case they are, detect infiltration within minutes, with the organisation immediately alerted. By identifying attacks so quickly, the company may be able to contain the breach, pass the details over to law enforcement officers and closely manage media coverage, enabling the business to continue to prosper.

If, on the other hand, the breach is not detected and the unauthorised data transmission continues unchecked for several days, the impact of the breach is likely to be much more severe and could domino in either direction along the supply chain. Sensitive data may be irrecoverable, while rumours percolating on social media may result in adverse media coverage which cannot be controlled. The result: serious damage to the company’s reputation.

A company-wide concernAs they work to protect themselves and their customers, companies are ramping up security across their infrastructure and applications and are managing access to company systems more closely. But cybercrime is not just an IT issue: the risk touches people at all levels of the organisation. As well as increasing security, companies are also putting in place comprehensive company-wide plans.

With recognition of this issue growing at board level, cyber risk governance has become a top-down priority. Companies are addressing staff behaviour by increasing

awareness of the relevant threats and educating employees about the company’s security culture. In order to gauge their level of preparation, some companies are also using ethical hackers to test their systems and draw up a defence strategy to cover any scenario. By running attack simulations and incident response exercises, companies can dramatically improve their chances of resisting an attack.

In conclusion, the difference between succumbing to a cyber attack and thwarting it is preparation. By putting in place comprehensive measures to protect themselves, companies should aim to react to a threat within minutes rather than days. Companies should also remember that cyber criminals are becoming more sophisticated every day – so whatever strategy the company has in place should evolve in line with the associated threats.

Cyber security

By running attack simulations and incident response exercises, companies can dramatically improve their chances of resisting an attack.

Onlinelloydsbank.com/commercial

Call your relationship manager

Lloyds Bank plc. Registered office: 25 Gresham Street, London, EC2V 7HN. Registered in England and Wales, no. 2065. Authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. We subscribe to The Lending Code; copies of the Code can be obtained from www.lendingstandardsboard.org.uk

G043.1096 Lloyds ACT Cyber security article.indd 3 14/07/2015 11:34