Opinion 5 min read

How firms can fight hackers and how data regulation could help

It seems like there isn’t a week that goes by without news of a data breach or cyber-attack affecting companies and organisations.

Image: Shutterstock

At one time it seemed the gaming industry was a target with Sony and Microsoft famously failing to keep hackers at bay. Then retail bore the brunt with eBay and Target being high profile victims. Healthcare organisations were a high value target for attackers in 2015 and the latest industry in the spotlight is the legal sector.

In March 2016, it was reported that hackers broke into the computer networks of some of Americas most prestigious law firms including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, both of which represent some of the biggest companies in the world.

According to the Wall Street Journal, which first reported the news, hackers usually steal large amounts of data and then analyse it to see how it can be used. Personally identifiable information has a much longer shelf life for cyber-criminals and it easy to see how information stolen from a legal firm could be used to disrupt merger and acquisition activities or sold at a premium. As such, there is still uncertainty as to whether it will be used for insider trading a worrying prospect.

Some of the biggest – and most recent – hacks to have plagued the business world

Law firms will go to great lengths to keep attempted and successful cyber-attacks a secret as any sign that customer data is not secure can result in huge reputation issues. But the issue is, many bosses dont realise their systems have been compromised until it’s too late.

Can data regulation help

While law firms are reluctant to be publicly identified, soon bosses will have to admit to data breaches whether they like it or not. The new EU Data Protection Regulation launched by the European Commission will help businesses become more proactive with regards to their hosting and data storage strategies. It means that service providers will be able to fulfil their role as a data processor, protecting the information it handles and stores on behalf of its customers, who as owners of the data, remain the data controllers.

EU’s General Data Protection Regulation to shake up customer service communications

Businesses should also provide advice and guidance on the interpretation and protection required to meet the new harmonised data protection requirements, to avoid data breaches and violations of the law. The tougher fines and raised awareness should create a much better understanding in the C-suite of what data they hold, its value to the business and the controls required to protect these valuable assets.

Read on to find out whether this is enough.

In todays threat landscape, more needs to be done to protect data. Cybercriminals can misuse data obtained through through extortion, identity theft or gaining access to networks using social engineering tactics in multiple ways as they seek to monetise their efforts.. While many of these attacks from last year happened to systems that were not secured correctly, others were the result of skilled, determined attackers.

According to Fujitsus recent 2016 predictions, we can expect cyber-criminals to target industries that hold vast amounts of data on individuals such as the legal, education and telecommunication sectors this year. It is clear more needs to be done when protecting data within an organisation.

So what now?

Leaders need to realise that at some point their firms will become a victim of a data breach or hack. To combat this, there are several things that businesses have to do. Firstly, businesses can share threat intelligence with other companies in the same industry. This doesnt mean sharing intimate details of a companys security ecosystem, but instead sharing insight on how threats have been able to get into the business and how to defend from them. The UK government CiSP initiative is suitable for businesses to start sharing or leveraging threat intelligence.

In addition to this, organisations need to be prepared to spot, react and defend against a breach quickly, by having a threat monitoring/detection or SIEM service in place to correlate multiple log sources. This should always be partnered with an effective incident response programme.

Data breach: How to react in the crucial first 24 hours

Finally, businesses should consider security education as part of a companys overall training schedule, ensuring that the whole organisation is engaged and part of the overall cyber resilience. Each employee has their part to play in keeping assets safe so it is vital that security training and empowerment occurs from the top down.

With the frequency of data breaches growing by the second, it’s clear that no organisation can ignore the cyber threat we are facing. Its essential that organisations implement an effective security education programme alongside a strong threat intelligence system to combat todays cyber hackers.

From the CIA developed Logic Bomb to 15 year-old Michael Calce who earned the name of MafiaBoy, here are history’s biggest attacks done with nothing more than a keyboard and the internet.

Paul McEvatt is senior cyber threat intelligence manager in UK & Ireland at Fujitsu.

Share on social media

Link copied to clipboard.