As we reflect on 2016, there are two stand out events that dwarf every other piece of news this year – the decision of the UK to leave the EU and the election of one Donald J Trump. Both put cyber security in the spotlight in 2016 for different reasons – from the confusing to the bizarre.
But it wasn’t just the changing political landscape that caught our eye. Many organisations were affected by ransomware attacks and one high profile business discovered just how costly the on-going fall-out from their data breach would turn out to be.
So, let’s look back at 2016 through the cyber security lens of Ascentor.
Data protection – caught in a confusing place
One of our most read articles in 2016 addressed data protection. Written in the calm before Brexit, the opening line was “If you are involved in data protection for your organisation, you may feel like you are facing change and uncertainty in equal measure – and you’d be right.” We couldn’t have described the year ahead any better.
The article ‘Data Protection – your ‘need to know’ list is getting longer’ didn’t only cover the EU General Data Protection Regulation (GDPR) but its inclusion probably accounted for its popularity. The article gave a checklist to prepare for GDPR – already a confusing issue – and then the referendum happened. For some time, there has been a date in the diary of 25th May 2018 when GDPR is set to come into force. But, post referendum, would this still be the case? Later in the year, the Deputy Information Commissioner Steve Wood said that UK businesses were “caught in a confusing place, between looming EU regulation and Brexit.”
So, in our October article ‘Cutting through the confusion: GDPR and Brexit’ we went on to discuss some of the assumptions, and possible data protection scenarios as we leave the EU. Although the overwhelming consensus seems to be that GDPR will happen, the exact details, as with much Brexit planning, remain somewhat vague.
Ransomware – back up or pay up
For those organisations that thought ransomware attacks only happened to other businesses, many discovered the costly truth in 2016. The spread, prevalence and impact of ransomware on organisations that previously may have thought that they were safe opened the eyes of a lot of managers this year.
New data from Kaspersky Lab found that ransomware attacks on businesses grew threefold in 2016 to reach one every 40 seconds by October. That was up from one every 2 minutes at the beginning of the year. It was even worse for individuals, with an attack on somebody every 10 seconds on average. What’s more, it is estimated that 20% of small businesses didn’t get their data back even after paying up.
Addressing the issues caused by ransomware and with strategies and tips for prevention, Ascentor published a series of articles this year. Starting with the single user, then moving on to the needs of SMEs and larger organisations, our advice was ‘back up – or pay up’. You can find all three articles here.
The end of the CLAS era
2016 was the first year without CLAS – the CESG Listed Adviser Scheme. Instead, security consultancy organisations will need to register under the Certified Cyber Security Consultancy (CCSC) scheme, and IA consultants will need to achieve CESG Certified Professional (CCP) status.
CCSC has been developed to certify services provided by consultancies, rather than individual consultants. Ascentor sees this as a positive. During 2016, our consultants have been achieving their CCP qualifications. In 2017, we will be joining the CCSC scheme.
By introducing CCSC, CESG aims to establish the wider credentials of consultancy companies to deliver high-quality, tailored and expert cyber security advice. It is designed to help government, the wider public sector and industry obtain the right cyber security consultancy services and by doing so help them protect their information and conduct business online safely.
TalkTalk – a powerful case for prevention
In 2015, TalkTalk was at the centre of one of the most humiliating UK hacks of customer data. If they hoped that 2016 would be kinder to them they must be feeling somewhat disappointed. First there was the inevitable loss of customers – estimated to be c.100,000, then a record ICO fine of £400,000, more negative publicity surrounding the security of their routers and, to cap it all, the cyber ‘mastermind’ behind last year’s hack was identified as a 17-year-old too young to even be named.
While the breakdown in relations with customers and negative publicity is reckoned to have cost TalkTalk £60 million, the offender has merely received a 12-month rehabilitation order from the judge and had his iPhone confiscated. As Monty Python might have said, “he’s not a cyber criminal, he’s a very naughty boy.”
The whole TalkTalk episode demonstrates the difficulty organisations face after a data breach – constantly scrutinised for the next error as the business is trying to re-build trust. As your doctor will tell you, prevention is better than cure – and the same applies in the cyber world. If only TalkTalk had been able to read our article ‘An ounce of prevention could be worth a ton of cyber attack cure‘ – they would have discovered that simple measures can defeat the majority of basic attacks.
From Russia with love? Hacking and the US election
Finally, we end the year with the cyber security story that surely Trumps all others… Was it the Russians ‘wot won it’?
It was a bizarre US election that saw outbursts and accusations you frankly couldn’t have made up – and cyber security was well represented in the mix. In early December the CIA announced to a group of top US senators that Russian hacking was aimed at helping Donald Trump – a statement subsequently backed by the White House.
Dismissing the claim as ‘ridiculous’ the President elect then gave a quote that sums up the challenge now faced not only by organisations but whole countries.
“They have no idea if it’s Russia or China or somebody. It could be somebody sitting in a bed some place. I mean they have no idea.” Donald Trump
Well that’s reassuring then.
It’s going to be an interesting few weeks. President Obama has ordered US intelligence agencies to complete a full review of hacking in US elections going back to 2008 before he leaves office. We haven’t heard the last of this.
Keep up with Ascentor in 2017
We covered a lot more on our blog this year. We also addressed the future of Information Assurance accreditation, the challenges surrounding supply chain cyber security and delivering digital transformation without the security risk. We explored cyber insurance and took another look at passwords.
Finally, if you’ve read or shared our content this year, thank you. We hope it’s been of benefit.
Here’s to a successful, safe and (more) secure 2017.