Cyber Warfare Comes to Your Yahoo Inboxes
“There are two types of companies: those that have been hacked, and those who don’t know
they have been hacked”. John Chambers, former CEO of CISCO
Yesterday’s announcement that Yahoo was hacked in 2014, potentially by a nation state,
appears to have been a shock to the company that was looking to acquire them for
$4.83bn, Verizon, but will have been less of a surprise to those who attended a recent
Skarbek breakfast on Cyber “drone strikes”. Yahoo appears to have exhibited many of
the failings that Skarbek identified and may risk the drastic consequences that were
highlighted at the event.
Ed Butler cited John Chambers’ quote to highlight to the seminar attendees that the cyber
threat is all too real and relevant for every type of business and individual. In his role as
Head of Risk Analysis in Pool Re, Ed is looking at the threats posed by cyber terrorism
and how these perils can be modelled. Although the threat actors are different the
consequential losses could be very similar. The focus of the session was on increasing
understanding of where the threat could come from, the potentially catastrophic impact
of that threat and what organisations can do to mitigate these risks.
Where do threats come from – who is out to get you
The talk started with an exposé from Chip Chapman, former global head of counterterrorism
in the UK MOD, on the sheer scale of cyber-attacks – for example, there are now
7 trillion spam emails a year in the US alone. The multiplicity of people, organisations
and nations posing a cyber threat and the sophistication of their tools and resources
means that it is not a question of IF organisations will come under threat, but WHEN and
As the Yahoo story shows, cyber warfare is already a reality – cyber allows opposing sides
to obtain data on individuals’ whereabouts and activities, but also “meta data” –
information which can be used to infer even greater insights – for example, once a
person’s Facebook account has been hacked, attackers can learn about their pets’ or
children’s names and use this to guess the victim’s passwords. The many people who
use the same password for their Yahoo account and their banking or other site s become
easy targets for financial fraud. For the military, these insights allow them to target and
disable infrastructure or individuals. In a commercial setting, your life might not be on
the line, but the commercial consequences can be fatal to your organisation.
The UK Government has recently acknowledged the growing scale of the threat by
announcing that GCHQ intends to erect a national firewall to protect against malicious
hackers. Whilst this move is raising privacy concerns, the reality is that a threat on this
scale is going to warrant equally dramatic measures to contain it – and that individuals
and companies on their own will be seriously challenged to protect themselves in the new
cyber reality. In a further sign of just how seriously they are taking the threat, the UK has
also established the National Cyber Security Centre with the goal of ensuring that the
people, public and private sector organisations and critical national infrastructure are
Whoever attacked Yahoo may only have been interested in accessing the details of a few people. However, this is a clear example that cyber warfare is already affecting every one of us and that this threat must be taken extremely seriously.
The catastrophic impact of cyber threats
A cyber-attack can destroy your business. It is important to understand the true cost of a breach. As well as the direct cost of downtime and lost revenues, changes in legislation mean that companies face potentially huge fines for data breaches. Yet even these pale into insignificance when compared to the potential reputational risk and impact on share price for publicly traded companies. Yahoo is experiencing this at first hand – there is talk that its $4.83bn deal with Verizon is at risk which could have a direct financial impact of $145m if the break clause is triggered with significant potential ramifications for Yahoo’s share price. The comments being made across social media starkly reveal the scale of the loss of trust in the company.
It isn’t just big organisations that are vulnerable. The UK Government estimated in 2015 that the average cost to a company of a cyber-attack of business disruption was up to £2m, but then identified multiple other financial consequences such as lost business, cash spent responding to incidents, fines and compensations payments, lost assets and damage to reputation which could add hundreds of thousands of pounds to the total cost.
Cyber-crime is growing at an incredibly fast rate – Grant Thornton estimated that the cost of cyber-crime in the EU was just over $62 billion in 2015 alone, with a further $81bn in Asia Pac and $61.3 billion in North America. John McFarlane, CEO of Barclays summarised the scale of the threat by likening it to the “Black Market on steroids.” As Ed Butler said, “Why go to all the trouble of a bank heist, when you can be really smart and access the money online?”
Where do threats come from?
Corporate and personal cyber-attacks come in all shapes and sizes, from the individual looking to gain access out of intellectual curiosity, to governments and non-state actors seeking to obtain commercially or personally sensitive information for destructive purposes and criminals looking to make money.
Whilst the nation state attacker may generate the big headlines, some of the greatest threats come from within your own organisation. It’s easy to think about the disgruntled employee out for revenge. There are also the sub-contractors – cleaners or repair people who come in with apparently legitimate reasons and then access sensitive information. They can knowingly wreak havoc on an organisation’s data and systems. However, one of the greatest challenges that organisations can do something about– are the “Pretty Dumb People” – the individuals working for your company or as sub-contractors who click on a spam email allowing an electronic intruder to download malware or ransomware, the people who write their passwords on a piece of paper and leave it taped to their computers, the staff who connect to unknown networks in cafes without adequate protection or forget their laptops when they leave.
What can you do about it?
The entire organisation needs to own and address the threat. Given the almost unassailable scale of risk and multiplicity of vulnerabilities within organisations, the speakers underscored the critical importance of having and effectively executing plans that not only minimise the risk of a breach but also acknowledge and prepare for the high likelihood of a system and data being compromised.
Traditionally, many organisations have seen this as an IT issue, but the event underlined that the threat targeted the very existence of an organisation and that all stakeholders had a role to play in both mitigating and dealing with the consequences of a data breach. As Chip put it, “Cyber security is an information and data assurance issue, not an IT issue.” Given its central importance, it was vital that cyber security risk be considered in the same way as any other existential threat to an organisation and be owned by all members of the Board, senior management team and ultimately the entire organisation.
The complexity of the challenge becomes clearer when it is analysed in a structured way – this grid highlights 45 potential domains along which an organisation can be attacked and hence the foci along which systems needed to be secure. This grid is further complicated by the fact that these domains are actually operating in 3 dimensions – every function within an organisation plays a role in addressing the issues and third party stakeholders such as suppliers and customers are also implicated.
Fig. 1 The Contestable Domain of Cyber Space
The other great challenge is mitigating cyber risk when it is a fast-moving target – technology changing at an ever increasing rate – the rise of the Internet of Things is dramatically increasing personal and organisational vulnerability – most of us have no idea that wearing a smart watch makes our data much more accessible by those with nefarious aims.
The Insurance sector hasn’t caught up with dealing with cyber risk
For those who think of the cyber threat as just another risk that can be insured against to protect a company, Ed explained that the business of cyber insurance was still at an early stage. In order to insure a risk, its nature and scale must be quantifiable. This is relatively easy to achieve for a natural disaster such as a typhoon. However, there is a lack of data on cyber breaches and the systemic losses that could arise as a result – not surprisingly, it is not something that people or companies tend to publicise – as demonstrated by Yahoo’s mega-breach only becoming public 2 years on. In his role as an advisor to the Cyber Re reinsurance business, Ed is playing a role in understanding how to manage and finance the insurance of cyber risk. Regardless of the solutions, the scale of exposure that companies face mean that they cannot look to insurance alone to rescue them.
The four elements of a Cyber Plan
The discussion at the seminar went on to identify ways to address cyber risk, starting with a careful evaluation of an organisation’s “data crown jewels” – what was most precious to it and therefore warranted the highest degree of protection. It was up to the Board to have a clear handle on what types of data breach could cripple their businesses and to prioritise investment in protecting their critical data and preparing for the consequences of a potential breach.
When it comes to addressing the threat, it isn’t sufficient to think like an “armadillo” – with a tough layer on the outside but a soft underbelly. An “onion model” of multiple layers of defence is required. This multi-faceted approach was another reason why attention was needed at every level from the board down to ensure adequate protection. Every organisation needs a plan which addresses the four key elements vital to minimise the risk and potential impact of a threat: Avoid – Detect – Survive – Recover.
So far, Yahoo does not appear to be delivering on these four elements. In terms of “Avoiding”, Yahoo’s password protection mechanisms were in place but used outdated and inadequate methodology. A process as simple as mandating frequent password changes may not have prevented the breach, but potentially limited the damage considerably. When it comes to “Detecting,” it’s taken 2 years for the attack to be made public. In terms of “Surviving,” there appear to be gaps in its plans to mitigate the impact – for example, Yahoo customers in the Skarbek team still haven’t received any communication from the company alerting them to the issue and giving them advice as to what to do about it and the announcements from the company have been limited. Only time will tell if they are able to recover…
Why effective strategy implementation is critical to addressing cyber threats
Having a Cyber Plan is a key starting point, but it is insufficient. Even in the best firms, 70% of strategies do not get fully implemented. A Cyber Plan must address ways in which to protect itself from attack and ways to respond to one, focusing on the four elements identified above. These plans must all involve all the key stakeholders including HR or Facilities who can help mitigate the cyber risk that staff and contractors pose as well as suppliers.
Even once a plan is in place and fully implemented, it needs to be maintained and updated – cyber threats are continually evolving and companies’ strategies need to keep pace with this.
In summary, cyber threats are growing exponentially and evolving rapidly. The threat is very serious as business can be the target of the spotty faced teenager, state and non-state actors, criminals and terrorists. Your plans to defend and plans to respond must be revisited and adapted on a regular basis. It is vital that organisations intensify their response including integrated risk management, crisis management and continuity plans. Every organisation’s cyber strategy needs to be challenged and tested on a routine basis. Most importantly the initiatives, projects and day job responsibilities must be fully understood and fully implemented. It may sound like paranoia, but this talk highlighted the reality that cyber is a very persistent, present and increasing threat that we ignore at our peril. But, before we sink under the weight of the challenge, the speakers also offered the message that many of the counter measures are common sense and low cost; as ever effective strategy implementation can make a difference.
About Skarbek Associates
Effective strategy implementation lies at the heart of Skarbek Associates work. When it comes to Cyber Security, the company specialises in providing an integrated approach to solving clients’ problems in developing and implementing an effective cyber strategy. Across both the plan to defend and the plan to respond they are able to ensure effective implementation coordinating the multi-disciplinary parts of the jigsaw necessary for a complete cyber strategy. Skarbek also provide ‘red-team’ events for boards and management teams together with capability building to increase readiness and resilience.