IT Group recently took part in a Q&A roundtable for Corporate Disputes magazine entitled 'Investigating and Managing a Hack'. IT Group's Aaron Pickett, alongside Mark Pegram of Sanitas Data Security and Alex Cravero of Kemp Little, discuss the process of investigating and managing a hack; highlighting some of the key legal and regulatory issues that need to be considered.
CD: Considering today’s complex technological environment, could you provide an insight into how vulnerable companies are to being hacked? Is it essentially a matter of when, not if?
Pickett: Technological advances in society today come at an ever-increasing, ever-expanding rate. If Moore’s law proves to be correct, the advance in technology will provide an increase of computing power at 200 percent for every two years. Over the last few years there has been an increasing trend away from hacking government and military servers, and instead aiming for retail merchants, financial institutions and law firms. Sony, JPMorgan, Target and eBay have all found their systems breached. The most popular hacks are via database injection, where usernames and passwords are created by the hackers and then inserted into the company’s web servers via vulnerable routes and via ‘phishing’ where an employee is tricked into providing their login credentials to a hacker, typically by having them type them into a fake website. With more and more technology opening up areas to increase efficiency, the chances of an attack are rapidly increasing on a similar scale to Moore’s Law. Only a naive business would believe they have not been targeted; they are simply unaware of a breach, or luck has been on their side.
Pegram: With an ever increasing complexity of networks, blurred boundaries are caused by a mixture of internal and cloud based systems, outsourcing arrangements, mobile computing, bring your own device policies, and so on. This opens up a huge array of attack vectors for cyber criminals to exploit. Surveys report that anywhere between 60 percent and 90 percent of companies suffer a data breach every year. Over half of those breaches are caused by external actors hacking into a corporate system. Increasingly, cyber criminals are turning to smaller companies, as generally they are easier to compromise having invested less in technical countermeasures and very often do not keep their systems’ configuration up-to-date or provide good quality training for staff. Most attacks – and 91 percent of targeted attacks, according to BAE Systems Applied Intelligence – start with an email, whether this is directly trying to perform a crime such as invoice fraud, or whether it is being used to gain further information or enable the installation of malicious software to further an attack. In short, it really is a matter of ‘when, not if’ and the organisations that are aware of this prepare best and have policies and processes in place to deal with it.