If your home is burgled or there is a break-in at your business premises, you get to know about it pretty quickly. It is very unlikely that it would take two years to come to light. Yet that is how long it has taken Yahoo (YHOO:NDQ) to realise it was the victim of the biggest hack in history, with details – names, passwords, email addresses, phone numbers, security questions – of 500 million users taken from the company’s network in late 2014.

The US company doesn’t believe that bank or credit card details were stolen but even so it stands out among the litany of cyber crimes, IT system breaches and digital data scams that are becoming almost everyday episodes in the world.

On the same day as the Yahoo news, it was announced that the White House was looking into a cyber breach after what appeared to be a scan of first lady Michelle Obama’s passport was posted online. The fresh disclosures, which included emails to and from White House staff, raised further concerns about the security of sensitive systems following a string of breaches affecting government agencies, private companies and the Democratic National Committee.

Household names including Ebay (EBAY:NDQ), Sony (6758:T) and Apple (AAPL:NDQ) have recently been victims of cyber attacks.

Closer to home, readers may still remember the cyber attack on broadband and calls supplier TalkTalk (TALK) in October 2015, when personal data and bank account details of more than four million of its customers were potentially compromised. The company subsequestly lost around 100,000 subscribers.

Heads in the sand

There remains limited sympathy for organisations or their bosses from cyber security experts. ‘The issues facing business today are entirely of their own making because people don’t take IT security seriously,’ says Rob Cotton, chief executive of escrow and IT assurance business NCC (NCC).

This is a passion of Cotton’s and he and his company have been banging this particular drum for years, even commissioning a study on the topic through research consultancy ComRes. The findings of which were released last week (27 September) in the Elephant in the Boardroom report, tying in with Cotton’s keynote address at the Institute of Directors’ Annual Convention on the growing cyber threat to business.

‘Cyber security is the greatest risk facing modern business,’
he states in response to the findings. ‘For years it hasn’t been taken seriously enough in boardrooms across the country and while these results don’t prove that it’s now being managed appropriately, they do show that directors are realising that greater scrutiny and oversight from regulators and government will stimulate the necessary action and help drive-up standards. This can only be a good thing for businesses and consumers alike.’

Investors could also benefit from this technology niche by having exposure to relevant technology stocks. ‘A rise in cyber crime has led to an increasing need for data protection, and businesses are having to spend more on security as well as frequently outsource their security needs to specialists,’ spells out Peel Hunt technology analyst Paraag Amin in a detailed report on data and its security needs published in September 2016.

‘Gartner forecasts that by 2018, global expenditure on cyber security will reach $101bn, up from circa $75bn today,’ reveals Amin.

ETFS ISE Cyber Security (ISPY) is an exchange-traded fund (ETF) which tracks a basket of global companies which work in this burgeoning space. It has a total expense ratio of 0.75%. While this is relatively expensive for an ETF, it reflects its scarcity value as the only UK product offering pure exposure to this theme and its relative greater complexity.

Price of failure

Gartner’s estimates could prove conservative given the enormous and escalating cost of cyber attacks on organisations large and small. According to data from the 2015 Information Security Breaches Survey, the average cost of a large organisation’s worst case security breach runs between £1.5m and £3.1m, or £75,000 to £311,000 for smaller companies, presumably capable of sending many less robust small businesses to the wall.

‘Look what happened to TalkTalk’s valuation,’ pointed out cyber crime commentator Howie Li, in the wake of its incident. ‘We saw that fall by more than £669m in under one week.’

While it is widely acknowledged that the broad, technically deep, evolving challenge that is cyber security has no silver bullet solution, there are effective steps that businesses can take now to help combat threats. The UK Government highlights four stages of security management that organisations can, and probably should, adopt:

• Risk assessment, planning and policies

• Technology build and systems protection

• Manage and monitor

• Incident response

New rules are also being introduced to guide and enforce basic standards of IT security. The introduction of the GDPR (General Data Protection Regulation) will come into effect from May 2018 following a two-year transition period that began earlier this year.

This new EU-wide legislation will provide the framework for better protections for personal data, and the tool kit for the police and criminal justice sectors to enforce laws. Such steps would appear to apply extra regulatory drivers to the already emerging commercial requirements of organisations, a useful by-product that should underpin surging demand for expert advice and implementation of effective solutions from the private sector.

‹ Previous2016-10-06Next ›