In a world beset by geo-political turmoil, you’d think that finance leaders would have bigger things to be afraid of than cybersecurity. However, the number of hacks do not seem to be abating, with an ever-growing list of companies falling prey to malicious actors, crouched and hooded behind their computers like the Grim Reaper, fingers hooked like scythes ready to carve through their victim’s profits.
The 2015 Cost of Data Breach Study by IBM and the Ponemon Institute found that the average total cost of a data breach was $3.79 million - up from $3.52 million in 2014. Corking this flood requires a company-wide effort, but ultimate responsibility largely rests with the CFO. In a recent Grant Thornton survey, 38% of respondents identified the CFO as the position within the organization most often said to be responsible for cybersecurity, with the CIO a close second on 36%. This is logical, positioned as they are to, as CFO of TeleSign Matt Hardy told Forbes, empower and enact ‘a proactive plan that takes the concern everyone is feeling and translating it into action.’
We’ve looked at five of the most horrific acts of cyber terror to befall companies. In horror films, it’s easy to sit back and tell the pretty blonde not to run back into the house to be slaughtered by the masked killer. Equally, many of these companies are responsible for leaving themselves exposed and failing to adequately defend themselves.
Yahoo, already a shadow of the behemoth it once was, confirmed recently that more than 500 million of its user accounts have been stolen - the largest data breach from a single site in history.
The hack is said to have actually occurred in late 2014, which means it took the company two years to realize there had been a breach. Admittedly, it had other things on its mind, but to find out about the theft only when someone tried to offload a further 200 million stolen account details is more than just absent minded, it suggests a singular lack of cybersecurity policy than needs rectifying immediately.
Marketing firm Epilson was struck by hackers back in 2011, and is believed to be the most costly in history, with estimates varying between $100 million and $4 billion
Thieves stole names and email addresses from the company’s marketing division, affecting clients that included JPMorgan Chase, Capital One, Citi, and Target. The company handles more than 40 billion emails, many of which will have been subject to phishing scams - hackers masquerading as one of the companies to elicit money. In a worst-case scenario, analysts predict the costs of the breach could reach $4 billion, not to mention the reputational damage caused.
LinkedIn’s hack is a classic example of mismanagement. In 2016, hacking group ‘Peace’ were caught trying to sell 167 million LinkedIn user accounts — 117 million of which had both emails and encrypted passwords. This data was stolen in a hack of the social network in 2012, during which 6.5 million passwords were reported as stolen.
Despite such a significant amount having been taken, LinkedIn neither investigated the original breach or informed affected users over the course of the intervening four years, raising a number of questions.
Bangladesh Central Bank
The APAC region is renowned for its weak cybersecurity, with a study by Mandiant M-Trends finding that the average discovery time for a breach in the region is 520 days, significantly higher than the global average of just 146 days.
A classic example of this is Bangladesh Bank, whose online systems was penetrated and credentials for payment transfers stolen. Thieves then made 35 requests for the Federal Reserve Bank of New York to transfer money from the Bangladesh Bank's account to entities in the Philippines and Sri Lanka. The attack successfully compromised $81m and could have eventually seen more than $1 billion taken were it not for the bandits not being able to spell ‘foundation’ and their plot being discovered.
Investigators say the lack of basic defence mechanisms was a key vulnerability aided by a suspected insider, again, pointing to failures in management and a lack of sufficient emphasis put on cybersecurity efforts.
Sony has been the victim of numerous hacks, including one of the most notorious when emails were taken from senior executives and published in an attempt to embarrass the tech giant ahead of the release of The Interview.
Norse’s co-founder and chief technology officer, Tommy Stiansen, had visited the Sony studio to pitch his company’s services to defend the studio against hackers in the weeks leading up to the hack, with Sony having been long targeted due to heavy handed efforts to protect intellectual property. Its Playstation Network, for one, was hit by a $171 million hack in 2011. Given the scale of the previous hack, you would have thought they would have been more careful, however, Stiansen noted: ‘I got a little shocked. Their Info Sec was empty, and all their screens were logged in. Basically the janitor can walk straight into their Info Sec department.’
The reputational damage caused by the hack was tremendous, and struck terror into the heart of corporate boardrooms across the world. However, the fault rests primarily with what appears to be a failure from the top to take the issue of cybersecurity seriously. Even the studio cybersecurity chief Spaltro once told magazine CIO: ‘We literally could go broke trying to cover for everything. I will not invest $10 million to avoid a possible $1 million loss. It’s a valid business decision to accept the risk.’
As it turns out, it wasn’t. And, frankly, it never is.