Cybersecurity has hit the headlines again this week with news of two critical security flaws in the architecture of the central processing units (CPUs) of the world’s three largest chip producers, including Intel.
The bugs, known as Meltdown and Spectre, affect nearly every computer and device. They allow access to potentially sensitive data via unencrypted kernel and system memory, previously assumed to be protected at a hardware level.
There is currently no evidence that the flaws have been used by criminals. However, now that their existence has entered the public domain, we are likely to see a surge in malicious activity as hackers scramble to exploit the vulnerabilities before they can be patched.
As software companies rush out security patches and Intel and others are forced to redesign their CPU architecture from the ground up, it is vital that businesses prioritise cybersecurity.
As companies continue to generate and store ever-increasing volumes of personal and commercially sensitive data, the incentives for a cyber-attack are growing. This risk is further exacerbated by the increasing interconnectivity of devices and appliances known as the Internet of Things.
The number of companies affected by cybercrime is also rising. According to PwC’s Global State of Information Security Survey 2018, 29% of respondents reported loss or damage of internal records as a result of a security incident. These numbers are likely to dramatically underestimate the true figures, as a further 28% reported that they simply did not know how many cyber-attacks they had had.
Preparing for an attack
Although businesses can’t eliminate the risk of a cyberattack, they can dramatically reduce it by following these steps:
- Ensure software (especially operating systems) is kept updated, with mandatory updates on all devices, including any device, be it a smartphone, laptop or home computer, used by employees to access business data.
- Put robust systems and controls to reduce the risk of accidental or intentional data breach by employees.
- Use a specialist security company to test the strength of your IT defences and find weak spots which can be patched.
- Provide regular information security training for employees at all levels in the company which will not only keep your data safer but help foster a culture of accountability and ownership.
- Carry out Information security audits.
- Take out cyber insurance.
- Develop a contingency plan to determine how you respond to a data breach including a first point of contact, who can coordinate your response to reduce business disruption and keep costs to a minimum. This plan should take into account the new GDPR rules, which will mean that organisations will have to inform the regulators within 72 hours of becoming aware of a breach or face a fine.
A data breach can cause significant business disruption and financial costs combined with potential irreparable reputational damage.
Even if a breach stems from the Meltdown and Spectre bug, this will not absolve a company which loses its data or that of its customers. The potential claims and sanctions could cost anywhere from tens of thousands to millions of pounds.
On top of this, a company hit by a data breach will have to manage the storm of negative publicity and invest in trying to regain the trust of their customer base. Every minute staff and management spend trying to close this digital Pandora’s box means less time is spent on the day-to-day running of the business incurring further cost and resources.
No matter whether your business is large or small, you are faced with the same risks, so make sure you put measures in place to minimise these and ensure a fast and effective response should your business suffer an attack.