Anthony Hilton: No organisation is safe from the cyber threat

Among the thousands of reports and surveys to come out at the annual World Economic Forum in Davos every January one of the most useful is the annual study of business risks in which executives rank what they consider to be their most pressing concerns.

Particularly significant at the beginning of this year was that cyber-security surged from among the also-rans to grab number three position.

One explanation for its being top of the mind is because of the global publicity generated in the run-up to last Christmas by the attack on Sony Pictures for which the North Koreans were blamed.

If that’s correct, and given that data for the next report is probably being collected now, it might well be possible after this month’s attack on TalkTalk that cyber-security will move up to top position.

Not before time, one might think. For years now at banking conferences, speaker after speaker has warned that cyber threats are one of the major challenges.

But such warnings have not been properly heeded outside the financial world. There has been a tendency in other sectors to think that this was primarily a problem for organisations whose business was money.

Companies in the mainstream too often believe they have nothing obviously attractive to a thief.

The TalkTalk debacle might convince them otherwise. Even if no money is lost, public confidence in an organisation can be badly damaged by the theft of customers’ personal data.

The financial loss may be small, but the reputational damage and hit to customer relations can be huge.

Nor are these things usually hobbyists at play. According to PwC’s John Berriman, attacks can come from four distinct sources each with their own motivation.

They are rarely, if ever, just the work of idle school boys.

Perhaps the most sinister are attacks instigated by government, agencies of government or sophisticated terrorist groups who see these as a way to flex muscles or pursue objectives without resorting to force of arms.

Banks imposing international sanctions against a country at the request of the UN or their government regularly get attacked in retaliation.

The danger is such that the Bank of England is alive to the systemic risk which might result from a cyber-attack and has ordered financial institutions to test their resilience with this in mind.

Then there are attacks originated by criminals whose interest usually is money — or blackmail as a way to extract money.

Again, according to experts, the organisation is anything but casual. The attackers are remarkably business-like with a sophisticated supply chain of specialists who have skills in different areas.

Some know how to hack in an operational sense, others work on developing the software tools hackers use.

Others again have the knowledge and logistical skills to mount widespread attacks on multiple targets in the hope that out of the thousands of attempts they will get at least one breakthrough.

Others again have specialist skills such as money laundering to handle the proceeds.

Next come the attackers who want information. This is the modern version of industrial espionage where intellectual property or a valuable commercial secret is the objective.

The target may not even be an organisation’s own data — some firms are attacked to get information on third parties with whom they deal — or have their computers penetrated because they offer a trusted route into these other firms which are the real target.

And finally there are rogue employees — the disgruntled, or those who believe they are fulfilling some higher purpose by whistleblowing.

The real lesson is that no organisation should think itself safe.

TalkTalk has come under fire in some quarters where it has been alleged that its defences were seriously unsophisticated — something the company vehemently denies. But most cyber experts maintain that if a hacker is really determined then the chances are that he or she will find a way through.

To this end, some cyber experts say business should work on the assumption that at some point, probably before too long, their organisation will be compromised.

The intelligent strategy should not be to spend zillions on defence in the possibly vain hope that the bad guys will never succeed; rather it is to structure the organisation and its systems in such a way that when they do succeed they don’t get very much.