Lax cybersecurity could create myriad of compliance headaches

26 October 2017 5 min. read

Cybersecurity remains a key concern in Europe, particularly for key infrastructure in manufacturing, energy and financial services, however, a new report warns that the region continues to lag behind on breach detection. Increasing cyberattacks and new regulatory requirements, such as the GDPR, mean this could prove costly for European businesses.

Cybercrime has continued to be a key area of concern for people, businesses and governments across the globe. Over 2017, large scale attacks have hit UK’s NHS, and even the world’s largest cyber security, Deloitte, who are presently under investigation from the New York State Attorney for a breach of their email servers. Total costs from cyberattacks last year hit an estimated $400 billion, while for businesses globally the figure came in at an estimated $280 billion.

In a new report from FireEye, leveraging data from Marsh & McLennan Companies, a broad overview of cybersecurity related trends is considered for Europe, as well as key moves organisations may need to make to keep up. The report notes that the threat level continues to rise, particularly in terms of threats to key infrastructure, such as air traffic, power infrastructure and key government held private information.

Top malware hotspots

Cyberattacks have become increasingly damaging to key infrastructure, creating considerable social and economic risks. In Germany for instance, one attack caused significant damage to an iron plant, when a control system was compromised. An attack on the power infrastructure of Ukraine meanwhile resulted in the loss of electricity in hundreds of thousands of homes, and in 2016 a nuclear power plant in Germany was even attacked.

Malware remains a key route to penetration for hackers, with researchers identifying Germany as the most heavily targeted victim of such attacks. 19% of detected malware was aimed at German targets, followed by Belgium on 16%, and the UK on 12%. Financial and health records remain the top targets for attackers when focusing on individuals, while for businesses, targets include companies’ industrial control systems in 18% of cases, and trade secrets in 19% of cases.

 Ransom ware incident increases

The study identified three sectors that continue to see considerable cybercriminal interest, financial services, government and manufacturing. Q3 2016 saw increased focus on telecom and insurance in particular, while Q2 saw focus on financial services and manufacturing. Government bodies, are the top target for cybercriminals in Europe, while by contrast, the top target in the US, retail, suffered very few attacks in the first three quarters of last year.

In terms of key events in the various segments, one attack resulted in the loss of $75 million from a Belgian bank, while an aircraft manufacture lost $50 million to just one phishing scam.

Cyberevents by industry and sector

Ransomware, which featured in the recent WannaCry attack, targeting various networks including the NHS, has become an increasing blight. The report notes that healthcare providers are often the target of such attacks, with up to 88% of infections affecting the sector. Aside from the recent globally covered attacks, the number of ransomware infections has been on the increase in recent years, with in particular the first half of 2016 including a large number of incidents.

Undetected entry

While the number of attacks continues to rise, with focus increasingly on sensitive and strategic infrastructure, companies continue to be shown to be relatively complacent in dealing with the consequence of digitalisation. As it stands, the average European Union based organisations, takes three times the time to detect an intrusion relative to the global average. While the global average stands at 146 (nearly five months), the European average is well over a calendar year, at 469 days.

The length of time between compromise and detection creates a host of problem for companies, with many hackers developing multiple new entries into a company following an initial breach, resulting in additional breaches in the months following initial detection.

The study notes that companies tend to not have a strong grasp of their cyber posture, although it has increased somewhat on 2015, at 21% and 31% respectively. Companies are increasingly concerned, placing cyber risks in their top 5 risks 32% of the time in 2016, up from 17% in 2015.

Components of GDPR implementation

Taking such a lax attitude toward threat detection is about to become additionally expensive, meanwhile. The enforcement of the General Data Protection Regulation (GDPR) from May next year, will impose an added burden of demands on EU-based organisations, with non-compliance potentially resulting in hefty fines.

Companies will need to be on the ball to comply with the rules, which will require consent for the processing of personal information, require companies to release the information they hold on individuals, the right to be forgotten, as well as data portability. Increased regulatory scrutiny, coupled with a new Network Information Security (NIS) Directive, which is focused on boosting key infrastructure cybersecurity at the member state level, through the creation of a ‘cybersecurity strategy, a national competent authority, and national cybersecurity incident response teams’.